g. M M w m

- M >

E m O u M >W <M

> <E E > > W u- w w o d J J o L L s

- C U " -

" - .. E u ** Z r w pw ..

r g

w z wo x- # "O Md W m 2" M.  %.

M

. *m k*w m 2.

or

'5 m Ev 7 T m 54 5 59 um 50 v- .

um

.u 4 m

u 4

=

v v-

.~

u .

. .u<

7-2

______ _-_ ________._____ .-_--J

15' t i :.

' ' ~ ~ ~ , , . . _,

> W- i 4 t

.J > m W ( (

CC a 3 WO A

> Q CE W W EC W W IO

.JW>b4 '&H W Ch. ( W W w -

OMJ W W W 43 H to WEQEQ- W<

EE p"WWE (g

O *= W mM

• m >=

• Od' DM O W3 U *Q D W *> aC W MZJEW W WWC CD M >= V W. X elC *

-WKW mU& -i E3EOC CK O I

+=mKmo D e>

C H .J Q

• eC Q *WUw OM WM W QEM CL W G Z ** W-CL CK E E O O ' Ch. J W

- CL M Q W E . CL O O CC WUKW em O W

>= A EC Wq ' CK U O

- CC W W w E

• Q W M Z == >= Q Q tlA O O >= m Q.

4 b W W Q C em bW Q 5

r - -C .J o eu w m 4 >= >= E A C CE 3 E O CL to 3 W >- W u k= Q

• = C % L.) at 7.m CE 8""' W >= C'E CO .g W aC CE O aC alC H EU N >= .J W 4J ea >= E J'

W th

>W WQ QbWW@Q' CW ** CL E A G Q 3 W W e=e O@C Q CO M Z

+J b C W Q >= 5

v. E DW M w' W a .A

• • >= >=

M aC 6 6 6 .6 h

GA U e=

J3 W m m 85 J >= G) CO

>= J ZW  % N 4 W& N O M > 8C N M WQ N N WC W M .

.J o o 1 i

>=

Z CE O 6t'l WW O N E CD 3E @

e W

i

'f UD N CO 8" 9 W C W M

. .- 2 '

E Y .I W O CL O

.1 > Q CC ' Q CK

>= W >

. ,,a ** Q W W CL CL 0 >* 3 >=

Q A E >= >=

HW == E =+ E Em E W E W Ww w z W 3 Ee >* Q >= U Q W'*e W CL M CL E > E 413 > 4C tsh D ON D **

Q W W e= 4 0 e O e $ Q 9 9 Q 7-3 i

c______ __ _

p 1

1 1'

1 1.

Component failure rate estimates were derived from failures recorded in LERs and DVRs dated January 1984 through August 1986. This period was chosen because accurate component demand data and mainte".ance outage data were available only between these dates. Although the period Lovered in the data analysis is quite short, the presence of five diesel genert, tors at the LaSalle units provided over 12 " diesel-years" of data for the dicsel generator analysis, the presence of six SDV vent and drain valves provided over 15 " valve-years" of data for the SDV analysis, and the presence of 16 MSIVs provided over 40 "MSIV-years" of data for the MSIV problem.

Demand data for diesel generators and their output breakers were obtained from the diesel generator start logs kept for each diesel. Demands imposed to test diesel operability af ter maintenance or repair were excluded from the total (diesel start failures occurring during such demands were not included in the failure count). Diesel generator operating hours were obtained from a record kept by plant personnel of readings of the diesel run time meters.

A LaSalle. surveillance history listing was generated for those test precedures that include test demands of diesel cooling water pumps. The number of such tests during the data analysis period (1/84-8/86) was used to estimate the number of pump demands.

Demands of SDV vent and drain valves during the data analysis period were esti-

' mated by counting the number of plant scrams during this period and assuming quarterly testing of the valves.

7.2 GENERIC DATA SOURCES Most component failure rates and failure probabilities used in the analysis were  ;

obtained from generic sources. Because of the wide variety of failure modes and components in the modelt, a number of different sources were drawn upon. Most have been used widely in PRAs. These sources are enumerated briefly below.  !

NUREG/CR 2815. "Probabilistic Safety Analysis 'rocedures Guide"-includes a set  ;

of recommended generic failure rates for use as screening values in PRAs.

3-l 7-4 l

EGG-EA-5887, " Generic Data Base for Data and Models Chapter of the National-Reliability Evaluation Program (NREP) Guide"-served as. the basis for the values presented in NUREG/CR-2815, but includes some demand failure probabilities as well as hourly failure rates.

IEEE-500-1984, IEEE Guide to the Collection and presentation of Electrical.

Electronic. Sensing Componer.t . and Mechanical Equiparent Reliability Data for Nuclear-Power Generating Stations-contains data for a wide variety of compo-nents, based largely on surveys of expert opinion.

NUREG/CR-1363, " Data Summaries of Licensee Event Reports of Valves at U.S.

Commercial Nuclear. Power Plants"-includes failure rate estimates derived from valve failures reported in LERs for a variety of data breakdowns.

NUREG/CR-2098 "Comon Cause Fault Rates for Pumps"-common cause rates for different pump types and system populations based on failure data in LERs.

NUREG/CR-2099, " Common Cause Fault Rates for Diesel Generators"-common cause rates for different system populations based on failure data in LERs.

NUREG/CR-2770, "Comon Cause Fault Rates for Valves"-comon cause rates for different valve types and system populations based on failure data in LERs.

NUREG/CR-2771. "Comon Cause Fault Rates for Instrumentation and Control Assemblies"-comon cause rates for different I&C component types and system populations based on failure data in LERs.

GE22A2689 " Recommended Component Failure Rates"-values compiled by G.E. for PRAs and reliability studies, used in LaSalle PRA.

Palisades Plant PRA-tnis PRA involved an extensive plant data collection effort.

Failure rate estimates for components and failure modes unavailable elsewhere were obtained from this study.

l'he components and failure modes using values from these sources are detailed in the Appendices in the quantifiution data tables for each analysis.

i 7-5

l l

l l

)

7.3 EVENT PROBABILITY MODELS AND PARAMETER ESTIMATION The parameters to be estimated from plant data, the method of estimating the '

parameters from data, and the derivation of basic event probabilities from plant _

data estimates or generic values depended on the event probability model assumed for the particular event.

' Component failure events were assigned a probability model based on either a demand failure probability or an hourly failure rate.

I Failure, demand, operating time, and exposure time data were pooled for compo. l nents of the same type. For example, data were pooled for all diesel generators, diesel cooling water pumps, etc. The pooled data were used to estimate failure rates to apply to all components of the data pool. For demand-related failure modes, the failure rate was estimated by dividing the number of failures counted.

for the data pool by the number of demands. For operating time-related , failure modes (pump or diesel generator falls to run), the failure rate was estimated by dividing the number of failures by the number of operating hours. For passive (breaker fails to remain closed) failure modes or standby-related failure modes, the failure rate was estimated as the number of failures divided by the number of exposure hours.

Component exposure time for these failure modes is defined as the time during which the component' is exposed to the failure mode. For most components, the exposure time equais the number of calendar hours included in the period covered by the data analysis. For passive failure modes, the exposure time is the number of. hours (during the data analysis period) that the component is in a particular position (open or closed).

Some component data pools experienced no failures. In these cases, the failure rate was not estimated as stated above, because this would result in a failure rate estimate of zero. Instead, the number 0.5 was divided by the appropriate denominator (demands, operating time, or exposure time) to estimate the f ailure rate. This allowed a non-zero failure rate estimate for those data pools with no failures. Furthermore, this failure rate estimate is lower than the estimate that would have been calculated had one failure been experienced, so some credit is given to the components in the data pool for not failing. Other methods of addressing this situation, such as Bayesian updating of generic failure rate distributions are possible, but were not used in this analysis.

7-6

Event probabilities were calculated from the failure rate estimates in different ways, depending on the components and failure modes represented by the events.

The probability of demand failures was set equal to' the demand failure rate estimated from data. The probability of operating-time failures was calculated as the product of the operating-time failure rate and the assumed mission time -

for the component. The probability of normally open breakers failing to remain closed after closing on demand was also calculated by this formula.

The probability of other passive and' standby-related failures was calculated as the product of the failure rate and one-half the average time between component tests (i.e., the test interval). Certain components and failure modes are appropriately represented by either a demand failure rate or standby failure rate model. Some failure rates originally derived as demand failure probabilities, however, were re-derived as standby failure rates. The componert failure proba-bility was re-calculated using the component test interval.

77  ;

i Appendix B MST TEMPERATURE TRIPS SUPPLEMENTAL ANALYSES The following sections discuss in more detail the results of the probabilistic analyses performed to support removal of the main steam tunnel (MST) ambient and-delta temperature trips of the main steam isolation valves (MSIVs).

Initiator Frequency The chief impact of removing the automatic trip function associated with the MST ambient and delta temperature sensors is at the initiator-frequency level.

Primarily, the likelihood of a spurious MSIV closure initiator will be reduced at a result. Based on the three spurious MSIV closures attributed to the MST delta temperature - trip that have occurred at the LaSalle station since commercial operation, the spurious MSIV closure frequency should be reduced by 0.45 ,

events / year (3 events divided by 6.7 plant years for both Units' I and 2 yields approximately0.45 events / year). Although these trips occurred in the first year of ' operation, the plant operations staff has been required to take turther pre-cautions-such as bypassing the temperature trip circuitry whenever maintenance is being performed on the ventilation system-to avoid similar recurrences.

Other probable initiators of a spurious main steam line isolation still exist, such as random failures of the ventilation system or environmental conditions that can affect ventilation filtration and inlet temperatures. Since the spurluus MSIV closure frequency is expected to decrease, fewer challenges to plant safety systems are required resulting in a corresponding decrease in the probability of ATWS, as well as other sequences following such an initiator that could lead to core melt.

For the resolution strategy in which the MST temperature trips are removed, an adverse initiating event frequency increase can be postulated for the possibility of a small leak propagating to a larger leak or break before the operators detect the leak and begin a controlled manual plant shutdown. The expected increase in j the frequency of a large break in a steam line outside containment should be f minimal-if any. In order to evaluate the initiator impact for small breaks outside containment, it was conservatively assumed that all small breaks would ,

B-1

1 I

i i

l propagate to large break status at the small pipe break initiator frequency. The Shoreham PRA analysis (1) indicated that both the WASH-1400 study (,2,) and an EPRI study (,3_) determined the probability of a LOCA initiator was an order of magni-tude greater for smaller breaks. The Shoreham initiating event analysis did not specifically evaluate small breaks outside containment on the basis that the consequences of such events would be significantly less than the sequences following a large LOCA outside containment leading to core melt. Therefore, the Shoreham initiating event frequency for a large LOCA in a main steam line outside containment will be used and increased by a factor of ten. The Shoreham analysis determined an initiating event frequency for a large break in a main steam line outside containment of 2.1E-06 per reactor year. Based on the above discussion, a value of 2.lE-05 was used in the accident sequence analyses.

System Unavailability Change i To investigate the change in MSIV functional unavailability, a fault tree model of the isolation valves on the "A" steam line was created. For calculation of the base case unavailability (2.9E-05), all five isolation signals were included in the model. - The quantification results (page B-8) reveal that the dominant )

contributors to unavailability (the top 25 cut sets account for approximately 93 percent of the unavailability) are mechanical faults associated with the MSIV itself or control circuit air-operated valves or solenoids.

Removal of tne MST temperature trips from the model produced 38 additional cut sets (page B 9). These cut sets were five (5) orders of magnitude less signi-  !

ficant than the dominant cut sets, so their impact on the functional unavaila-

'ility was imperceptible.

Since the main steam lines are connected downstream of the MSIVs at the equalizing header, a valve in each line must close to totally isolate the break j from the reactor vessel. Therefore, the failure probability to isolate all four lines with the trips removed is 4 x 2.9E-05 or approximately 1.2E-04.

Accident Sequence Analysis As stated previously, any decrease in MSIV closure initiator frequency will provide a decrease in the sequences following such an initiator that could lead B-2

r_-__,-. _

l

)

to core melt. However, the reduced frequency of core damage associated with the spurious MSIV closure event attributable to removal of the MST temperature trips l must be traded off against any increase in the steam break outside containment l sequences. Failure of the MSIVs to close following a large main steam line break outside containment results in an unisolated LOCA that bypasses containment. .

Figure B-1 provides a functional event tree representation of this accident scenario. Failure to provide low pressure coolant injection (Sequence AoutML) results in a rapid core melt due to loss of coolant out the break. -This sequence represented significantly less than 1 percent of the estimated mean frequency of core vulnerability based on the Shoreham PRA, but was included because of the i

potentially severe consequences of such an accident, A similar sequence is even less likely at LaSalle h?cause the Shoreham analysis assumed failure of all low pressure injection at c probability value of 0.2 due to adverse environmental conditions in the secondary containment (reactor building) failing ECCS motor control centers. At tasalle, the outboard MSIVs are located in the main steam tunnel; a large break In a main steam line in the MST that cannot be isolated by the MSIVs would result in blowout to the stack and would not degrade ECCr capability. The Shorehao analysis estimated a failure probability of 6.3E-04 for failure of both the low 3ressure core spray and LPCI systems. Thereforo, considering the initiating event frequency of 2.1E-05 and the probability for failure to isolate by closing the MSIVs (1.2E-04) witi- ,

failure of low pressure injection at 6.3E-04 (Sequence AoutML on the functional event tree), this sequence can be considered to be an insignificant contributor to possible core damage frequency at LaSalle. The failure to scram sequence (AoutMC) is similarly determined to be insignificant since the low probability of the initiator (2.1E-05) with failure to isolate at 1.2E-04 times the reactor scram failure probability used in most PRAs, 3.0E-05 (4_), makes the sequence highly unlikely, especially if credit was taken for other negative reactivity methods such as the standby liquid control (SLC) system.

MSIV FAULT TREE MODEL The MSIV fault tree model primarily focuses upon the MSIV position control circuitry (Figure B-2). This circuit is composed of solenoid valves that de-energize to open and close air-operated valves that direct instrument air from l

B-3

)

i J

F i l

V V O B*

S S

e c

S S

A S

S A

A n K L L N e O C C L

C U*

V q u

e S

R )

E CT O t n 1 C

NA e ( L is M M M EN n t

tu t

u UG Q S a r o u

o o E T A A A e SED d r i e s m _ ta t E _

t s

_ w u T

R . p o

Ot H

R W .

u e k a

Y . b o e N m r O m b C

e r e a

p c

. n t i N 4 e n l O w 0 r e TI o L C

t - il m m I

E lwba a e

N nt t I

io no t

s T

c c N e r A jn de o L

O O

nm c

H i is e t f

e C

r u e wN _ u o s

r s

e ts t r

pl o t n

wi s e

S E L lo y v e .

P r O VCY R mt o t R r l n C e n e a e t

v nm gh on

- n ii lo *n t a ct T

M lu loo nn A 5 fs o uo C

I R R 0 C C -

s r. F c S E e O c e c c un 3 1

- S is -

B D

1 e

V sE 4 r S SO8v S E u M 0 T ig M MLC E O

N F 2

1 K Y AT R EN t /

T RO u 5 BC 0 I

NM o -

I A5 A E E/

TO 1

S 2

i 1

i l

MSIV ISOLATION SIGNAL

_HS S S FROM IA - - - - - - - - - - -- ---- ----- --

, i i i

MSIV POS. l-------~~-------i l CONT. UNIT t_________l i 7_________.,__________j i i

, i _

m l l

HS

$ I l l u l l i i

t2 , ,

i

<< i , 1 Ah CA Ah FROM V IA

---Qf--]--->4

_4__

NN 8 i

l MSIV i

Figure B-2. MSIV position control unit.

I 1

l B5

ll 1

the bottom of the MSIV piston and supply air to the top of the piston. Details concerning the development and quantification of the model are discussed in the section that follows.

Modeling Assumptions

1. The success criteria for the model was closure of one MSIV on steam line "A." l 4

2. All steam lines (A, 8. C, and D) have identical isolation logic; therefore, only the isolation of the "A" steam line was modeled.

3. Electrical prints for Unit I were used in the development of the fault tree.

Unit 2 isolation valves and associated trip logic are identical.

4. During a medium or large steam break in the main steam tunnel, the following i isolation signals will be present:

o main steam line low pressure, o main steam line high flow, o reactor vessel lo-lo level, o main steam tunnel high ambient temperature, and o main steam tunnel high delta temperature.

)

5. In order for the isolation valves to close, it is only necessary to vent the l compressed air holding the valves closed. The internal spring, without .the aid of compressed air, is adequate to ensure closure within required time limits (GE design spec 22A2812 Section 4.5.1.8).

6. Should the four-way valve supplying air to the top of the HSIV fall to close, compressed air will be directed out the vent valve. If this occurs, it is assumed that the increased flow out the vent valve will prevent adequate venting to ensure MSIV closure within the required time limit for " fast" closure.

l 7.Theair-operatedMSIVventvalvemustopenfortheMSIVtoclose(i.e.,other ,

vent paths are not included in the model) within the time required for " fast" closure.

i 8-6

(L 1

l, jo

8. As a backup to the automatic isolation signals, the operator may isolate the reactor vessel by manually closing the MSIVs from the control room.

9. Credible failures for all isolation sensors, except the temperature switches, '

include random and coninon mode failures as well as calibration errors. 1

10. Consnon mode failures and calibration errors were not included in the modeling of the main steam tunnel temperature sensors. The results of the analysis will be conservative using this assumption.

References

1. GE design spec 22A2812 (Section 4.5.1.8), revision 5.

2. Piping and Instrument Drawings (P&lDs)

M-2116 (sh 8/26) Revision K 06/17/83 l

3. Electrical Drawings 1-E-1-4203AB Revision R 04/30/82 1-E-1 4203AC Revision T 02/08/85 1-E-1-4203AD Revision R 04/30/82 1-E-1 4203AE Revision S 11/08/84 1-E-1-4203AF Revision T 11/08/84 '

1-E-1-4203AG Revision T 11/08/84 1-E-1-4203AH Revision T 11/08/84 i' 1 E-1-4203AJ Revision T 11/08/84 1-E-1-4215AC Revision AA 01/29/85 1-E-1-4224AC Revision G 08/13/81 1-E-1-4224AD Revision. G 08/13/81 1-E-1-4232A8 Revision R 03/11/85 1-E-1-4232AC Revision V 03/11/85 1-E-1-4232AD Revision V 11/26/84 1-E-1-4232AE Revision U 05/17/84

~

4. LaSalle License System Description Main Steam System Chapter 21 02/85 Component Data  ;

For the majority of the components modeled in the MSIV fault tree, it was not possible to obtain plant-specific data; therefore, the focus of the data col-1ection effort was examination of MSIV failures. Plant deviation reports were surveyed and no failures of the MSIVs had been recorded. To estimate a plant-B-7 i

m j l

specific failure rate. 0.5 failures (see Section 6) were divided by the number of MSIV exposure hours (i.e., the number of MSIVs at the LaSalle Nuclear Station multiplied by the hours of full-power operation). The resulting time-dependent

- failure rate estimate is 1.1E-06 per hour. Other data utlized in the quanti-fication of the fault tree are presented in Table B-1.

Quantification Results Quantification of the base case produced 51 cut sets that contributed to an unavailability of 2.9E-05. The top 25 cut sets, representing mechanical faults, accounted for approximately 93 percent of the unavailability. When the MST temperature trip signals were removed 38 additional cut sets, all with a proba-bility less than 2.0E-11, were produced; but the unavailability remained j unchanged at 2.9E-05. These additional cut sets all related to failure of the isolation signal to the MSIV.

I l

Cut Sets for Base Case ,

1 1.4400E 06 MAV22AN MAV28AN 2 1.2000E-06 MAV22AN MSV8A2Z 3 1.2000E-06 MAV22AN MAV8ASN 4 1.2000E-06 MAV28AN MAV2ASN 5 1.2000E-06' 'MAV22AN MSV8A12 6 1.2000E-06 MAV28AN MSV2A12 7 1.2000E-06 MAV22AN MAV8AVP 8 1.2000E-06 MAV28AN MAV2AVP 9 1.2000E-06 MAV28AN MSV2A2Z 10 1.0000E-06 MAV8AVP MSV2A12 11 1.0000E-06 'MSV2A2Z MSV8A1Z 12 1.0000E-06 MAV2AVP MAV8AVP 13 1.0000E-06 MAV2ASN MAV8AVP 14 1.0000E 06 MSV2A22 MSV8A2Z 15 1.0000E-06 MAV2ASN MSV8A2Z 16 1.0000E-06 MAV2AVP MSV8A2Z l 17 1.0000E-06 MAV2ASN MSV8A1Z 18 1.0000E-06 MSV2A12 MSV8A12

{ MSV2A1Z 19 1.0000E-06 MAV8ASN 20 1.0000E-06 MSV2AIZ MSv8A22 21 1.0000E-06 MAV2AVP MAV8ASN 22 1.0000E-06 MAV2AVP MSVBA1Z l

L 23 1.0000E-06 MAV2ASN MAV8ASN 24 1.0000E-06 MAV8ASN MSV2A2Z 25 1.0000E-06 MAV8AVP MSV2A22

!! MREK16Z l; 26 1.2000E-07 MAV22AN l- 27 1.2000E-07 MAV28AN MREK51Z 28 1.2000E-07 MAV28AN MREK14Z 29 1.2000E-07 MAV22AN MREK52Z 30 1.0000E-07 MREK52Z MSV2A12 B-8 I'

l.

j l

i l

)

I i

Cut Sets' for Base Case (continued) 31 1.0000E-07 MREK512 MSV8A22 32 1.0000E-07 MREK16Z MSV2A1Z 33 1.0000E-07 MREK52Z MSV2A22 34 1.0000E-07 MAV8AVP MREK14Z 35 1.0000E-07 MREK16Z MSV2A2Z 36 1.0000E.07 MREK14Z MSV8A2Z 37 1.0000E-07 MAV8ASN MREK51Z 38 1.0000E-07 MAV8ASN MREK14Z 39 1.0000E-07 MAVBAVP MREK51Z

, 40 1.0000E-07 MAV2 ASH HREK52Z 41 1.0000E-07 MAV2ASN MREK16Z 42 1.0000E-07 MREK14Z MSV8A1Z 43 1.0000E-07 MAV2AVP MREK52Z 44 1.0000E-07 MAV2AVP MREK16Z 45 1.0000E-07 MREK51Z MSV8A1Z 46 1.0000E-08 MREK14Z MREK52Z 47 1.0000E-08 MREK7BZ MREK7DZ 48 1.0000E-08 MREK14Z MREK16Z 49 1.0000E-08 MREK51Z MREK52Z 50 1.0000E-08 MREK16Z MREK51Z 51 1.0000E-08 MREK7AZ MREK7CZ MIN CUT UPPER BOUND : 2.91796E-05 Additional Cut Sets Produced by Removal of the MST Temperature Trips 52 1.0800E-11 MAVMSIVX MLSRXCC MPSFLOWX MPSPRESX 53 5.9400E-12 MAVMSIVX MLSRXCC MPSFLOWX MPSPRSCC 54 5.9400E-12 MAVMSIVX MLSRXCC MPSFLWCC MPSPRESX 55 3.2670E-12 MAVMSIVX MLSRXCC MPSFLWCC MPSPRSCC 56 9.0000E-13 MAVMSIVX MLSRXX MPSFLOWX MPSPRESX 57 4.9500E-13 MAVMSIVX MLSRXX MPSFLWCC MPSPRESX 58 4.9500E-13 MAVMSIVX MLSRXX MPSFLOWX MPSPRSCC 1 59 2.7225E-13 MAVMSIVX MLSRXX MPSFLWCC MPSPRSCC MPS15BP MPSFLOWX MREK4DZ 60 1.0800E-15 MAVMSIVX MLSRXCC

• • SPRESX MREK38Z MREK30Z 61 1.0800E-15 MAVMSIVX MLSRXCC MPSPRESX MREK3BZ MREK7DZ 62 1.0800E-15 MAVMSIVX MLSRXCC MPS15DP MPSFLOWX MREK7BZ 63 1.0800E-15 MAVMSIVX MLSRXCC MPS15BP MPSFLOWX MREK7DZ 64 1.0800E-15 MAVMSIVX MLSRXCC MPS150P MREK30Z MREK7BZ 65 1.0800E-15 MAVMSIVX MLSRXCC MPS15DP MPSFLOWX MREK4BZ 66 1.0800E-15 MAVMSIVX MLSRXCC MREK3CZ MREK4CZ MREK7AZ 67 1.0800E-15 MAVMSIVX MLSRXCC MLSRXCC MPSPRESX MREK30Z MREK7BZ 68 1.0800E-15 MAVMSIVX MLSRXCC MPS15BP MREK3BZ MREK70Z 69 1.0800E-15 MAVMSIVX MPSFLOWX MREK4AZ MREK4CZ 70 1.0800E-15 MAVMSIVX MLSRXCC MREK3BZ MREK4BZ MREK7DZ 1 71 1.0800E-15 MAVMSIVX MLSRXCC MPSFLOWX MREK4BZ MREK70Z 72 1.0800E-15 MAVMSIVX MLSRXCC MPS15AP MPSFLOWX MREK4CZ 73 1.0800E-15 MAVMSIVX MLSRXCC MPSPRESX MREK3AZ MREK3CZ 74 1.0800E-15 MAVMS!VX MLSRXCC i

MLSRXCC MPSPRESX MREK3AZ MREK7CZ 75 1.0800E-15 MAVMSIVX l

MLSRXCC MPS15CP MPSFLOWX MREK7AZ 76 1.0800E-15 MAVMSIVX MPS15AP MPSFLOWX MREK7CZ 77 1.0800E-15 MAVMSIVX MLSRXCC MPSFLOWX MREK4CZ MREK7AZ 78 1.0800E-15 MAVMSIVX MLSRXCC MPS15CP MREK3CZ MREK7AZ 79 1.0800E-15 MAVMSIVX- MLSRXCC MLSRXCC MPS15AP MPS15CP MPSFLOWX 80 1.0800E-15 MAVMSIVX MPS15CP MPSFLOWX MREK4AZ 81 1.0800E-15 MAVMSIVX MLSRXCC B-9 1

b

Additional Cut Sets Produced by Removal of the MST Temperature Trips (continued) 82 1.0800E-15 MAVMS!VX MLSRXCC MPSPRESX MREK3CZ MREK7AZ 83 1.0900E-15 MAVMSIVX MLSRXCC MPS15AP MREK3AZ MREK7CZ 84 1.0800E-15. MAVMSIVX MLSRXCC MREK3AZ MREK4AZ MREK7CZ 85 1.0800E-15 MAVMS!VX MLSRXCC MPSFLOWX MREK4AZ MREK7CZ 86 1.0800E-15 MAVMSIVX MLSRXCC MPS15BP MPS15DP MPSFLOWX 87 1.0800E-15 MAVMSIVX MLSRXCC MREK3DZ MREK4DZ MREK7BZ 88 1.0800E-15 MAVMSIVX' MLSRXCC MPSFLOWX MREK4BZ MREK4DZ 89 1.0800E-15 MAVMSIVX MLSRXCC MPSFLOWX MREK4DZ MREK7BZ MIN CUT UPPER BOUND : 2.91796E-05 References

1. Probabilistic Risk Assessment, Shoreham Nuclear Power Station, SAI-372-83-PA-01, June 1983.

2. " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants." U.S. Nuclear Regulatory Commission. October 1975.

3. S. L. Basin and E. T. Burns, Characteristics of Pipe System Failures in Light Water Reactors, Electric Power Research Institute Report, EPRI NP-438 August ,

l 1977.

4. NUREG/CR-0460, Anticipated Transients without Scram, Vol. 1 April 1978.

B-10 l

l u

.I M

D H

/

o A G C 0 O E L 4 A 3 HHHHHH' HHHHHHHHHH HHHH ,)

CCCCCCCCCCCCCCCC RCCCCSAHHHH ETTTTE RCCCC TTTTTTTTTlTTTTTT IIIIIIIIIIIIIIII TI III H FWWWW C PTTTTWWWWWWWWWWWWWWWW 00 ASSSS IIII SSSSSSSSSSSSSSSS

- - TSWWWW MM Y EEEEIESSSSEEEEEEEEEEEEEEEE

, , L RRRR W D S A LLLL RRRRRRRRRRRRRRRR QQ EUUUU AAAA UUUUUUUUUUUUUUUU

- - TSSSS4 S SSSSS5SSSS5SSS5S DD A SSSS/L NNNN I

UUUU SSSSSSSSSS5SSSSS IEEEE4 EEEEEEEEEEEEEEEE

, , DRRRR , A AAAARRRRRRRRRRRRRRRR E HH EPPPP3(PMMMMPPPPPPPPPPPPPPPP E

R

//

66 M , , ,

7 002222 M4444 . R 44444444444444444444 T

EE

- 1111 I 1111GO11111111111111111111 -

. . . .R . . . .PR . . . . . . . . . . . . . . . . . . . .

T L 11.GGGGOGGGG 11

, R GGGGGGGGGGGGGGGGGGSG E PPPPPPPPPPPPPPPPPPPP U PPPPRPPPP1 E , . 7 A , . , ,R . , , ,7 N , . , , , , , . . , , ' , , , , , , , , .

F C AA7777 E77772O77777777777777777777 R TT8888 8888 - I 88888888888888888888 V

1 U

O AA 5555 8888R8888RT O5555 88888888888888888888 55555555555555555555 5 DD - - - - - - - - CA - - - - - - - - - - - - - - - - - - - -

M S AAAA T AAAA /RAAAAAAAAAAAAAAAAAAAA G BEEEEEEEEEEEEEEEEEEEE A

TTEEEEA EEEE 1 R NN - - - - R - - - - E I - - - - - - - - - - - - - - - - - - - -

B O

T A

AAGGGGEGGGGRLGGGGGGGGGGGGGGGGGGGG LLGGGGPGGGGUAGGGGGGGGGGGGGGGGGGGG F

e D PPEEEEOEEEENCEEEEEEEEEEEEEEEEEEEE l A b T a E T A D T A '

N R 333333144443455554444444444444444 O

I E 000000000000000000000000000000000 T R EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE A U 220000000002000000000000000000000 C L 111111911111111111111111111111111 I I .

F A I

F T

N A

U Q E 55 5 M 99 6 I

00 3 T 11 A 6 D 66 00 0 B - - -

EE E M 11 4 A

L 11 3 R

E X C

I F NNNPNP V PPPP CX PPPPPPPPPPPPPPPPPPPP I AA5VSV1ABCD 28AAAA 5 KX ABCDABCDABCDABCDA8CD 55558688999900001111 T

N 222288M22226666 RR22220000000011111111 VVVVVVV5555SSBBBB 55555555SSSSS5SS E

D AAAAAAALLLLLLPPPPPPPPPPPPPPPPPPPP I MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

M M D D H H

- / /

7 7 0 0 E E 5 5 1 1 HHHH S)S)

CCCC TTTT EA EA I II I H R H R WWWW C P TC P SSSS T I SI S EEEE WEWE RRRR SDSD UUUU 4 A 4 A 5SS5/S /5 I l SSSS4 4 EEEE L l

,A ,A RRRR 4 P 4 PPPP6(6(P 4444G .R G.R 555555555555555555555555222 1111 P O P O111111111111111111111111111

. . . . R R . . . . . . .....................

GGGG 1

.R 1

,R GGGGGGGGGGGGGGGGGGGGGGGGGGG PPPP7 E 7 E PPPPPPPPPPPPPPPPPPPPPPPPPPP E , , . ,72N2N 7 C

R 7777 O O777777777777777777777777777

) 8888RIRI888888888888888888888888888 U 8888 888888888888888888888888888 d

e O 5555 CTCT 555555555555555555555555555

- - - - (A(A - - - - - - -

u S AAAA R RAAAAAAAAAAAAAAAAAAAAAAAAAAA n EEEE G B G 8EEEEEEEEEEEEEEEEEEEEEEEEEEE i

t A - - - - E I E 1------ -

n T GGGGRLRLGGGGGGGGGGGGGGGGGGGGGGGGGGG o A GGGGVAVAGGGGGGGGGGGGGGGGGGGGGGGGGGG c D EEEENCMCEEEEEEEEEEEEEEEEEEEEEEEEEEE

(

1 B E T

l e A -

b R 44445454444444444444444444444444333 a 00000000000000000000000000000000000 T E - - - - - - - - - - - - - - -

R EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE U 00005050000000000000000000000000000 L 11115151111111111111111I11111111111 I

A F

E 5 5 M 6 6 I

3 3 T

A 7 7 D 0 0 8 - -

M E E 5 5 A

E 1 1 R

E CXCX I

PPPPCWC5ZZZZZZZZZZZZZZZZ ZZZZZZZZ ZZZ F ABCD I ABCD WOSE46ABCDABCDABCD12ABCD 11I33334444557777XXXX AAA 121 T 5555 LLRR11 I 1111FFPP KKKKKKKKKKKKKKKKKKKKXXXX 228 N

E SSSSS5SSEEEEEEEEEEEEEEEEEEEEEEEEVVV D PPPPPPPPRRRRRRRRRRRRRRRRRRRRRRRRS5S I MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

?g

i V-ZE3.CEZZZ UWWuuvWW W W H H .= W >== H

= == e= em e- en o

33333333 MMMMMMMM WWWWWWWW MNMMMMMN DD232DDD MMMMMMMM MMMMMMMM WWWWWWWW KKMMMMEE E G. A. A Q. & A. A e o e a e a e e Nwwwwwwww ese M e=e em e=e e=e M e=e e=e e e e . e o e e e LD W LD G W LD W W W Q. & G. 4 A & E A. Q.

U e e e e e o e e o N is N N rs N N N N V

e Q mgassaggs s m m no m e e a e e a e e a m

3 M 4 4 4 4 4 W eC W W C WWWWWWWWW a * . . . . . . . . .

e 'W W 60LDLDLDLDLD c LD o q ggggggggg

,,,,, O WWWWWWWWW e=e e i gg W '

& i M 4 l 8 " mwwwwwwww e

• C00000000 x W W e e e e e a a e a E WWWWWWWWW m O C.0 e 0e e0e 0 MMMMMMMMM o 0 e 0 0 0 e

< > s g L N G N W  %

w C C e=e W 8 O E c A M e X

N hW "

> 4-L Q

= W aC e D L O A h

ED E C K l g

" $u e.

>,p 6

C e

w he

• AE 2Eze a a a m

W O x gceed.

m O = ., 6 ae> y g

E e

- w a. o. a. se

= 3e

- ~<muo<mvo e

=

i K z <

(DwOwOwOwOmem m MmMe.e m O 3 m E O D- m o

$o y >MMMMMMMM e M.--- -.-> .-*- ,

m EEEEEEEEE E M d o

B 13 1

I 1

7

ATTACHMENT E UFSAR REFERENCES SECTION 5.2.5 Reactor Coolant Pressure Boundary Leakage Detection Systems Table 5.2-8 Summary of Isolation / Alarm of System Monitored and the Leak Detection Methods Used.

Figure 5.2-11 Calculated Leak Rate As A Function Of Crack Length ;and Applied Hoop Stress.

7.3.2 Primary Containment and Reactor Vessel Isolation Control Instrumentation and Control.

Table 7.3-2 Primary Containment and Reactor Vessel Isolation Actuation Instrument Setpoints (Sheet 3 of'3).

7.6.2 Reactor Coolant Pressure Boundary Leakage Detection.

7.7.15 Leak Detection System Instrumentation and controls.

Table 15.0-2 Summary of Events Results.

15.2.4 Inadvertent MSIV Closure.

15.2-6 3-Second Closure of All MSIV's 105% Power.-

15.6.4.1 Identification of Causes and Frequency Classification

LSCS-UTSAR 5.2.4.7 System Leakage and Hydrostatic Pressure Tests These tests on LSCS equipment are made in strict accordance with Section III and Section XI requirements of the ASME Boiler and Pressure Vessel Code.

5.2.4.8 Coordination of Inspection Equipment with Access Provisions Development of remotely controlled inspection equipment is followed closely to assure that inservice inspection access provisions are adequate to permit its use.

Inspection locations, inspection techniques, inspection frequencies, and evaluation are in accordance with Section XI, ASME Boiler and pressure Vessel Code.

5.2.5 Reactor Coolant pressure Boundary Leakace Detection Systems 5.2.5.1 Leakace Detection Methods The nuclear boiler leak detection system consists of temperature, pressure, and flow sensors with associated instrumentation and alarms. This system detects, annunciated, and isolates (in certain cases) leakages in the following systems:

a. main steamlines,

b. reactor water cleanup (RWCU) system,

c. residual heat removal (RRR) system,

d. reactor core isolation cooling (RCIC) system, and

e. feedwater system.

Isolation and/or alarm of affected systems and the methods used p(=- T are' summarized in Table 5.2-8. Drawing Nos. M-155, M-156 (sheets M-A 1-4), M-157, M-86 (sheet 1), M-129 (sheet 1), M-93 (sheet 4), M-2127 (sheet 1), M-2101, M-2055 (sheets 1, 3-7), M-2096 (sheet 5), M8cA and M-2097 (sheet 2) depict the p & ID or C & ID for the leakage i detection systems. Section 1.7 provides the Elementary Diagrams i ned for these systems. FJes Small leaks (5 gpa and less) are detected by temperature and pressure changes and by drain pump activities. Large leaks are also detected by changes in reactor water level and changes in flow rates in process lines.

CAUTION

. ilS DOCUMENT / DRAWING IS FOR ADMINISTRATIVE REFERENCE ONLY.

IT SHALL NOT BE USED FOR MAIN-TEN ANCE, OPERATION, DESIGN OR5.2-38 REV. 0 - APRIL 1984 ASME/ TECH SPEC PFi. ATrn ACTIVITIFS

LSCS-UFSAR 5.2.5.1.1 Detection of Abnormal Leakace within the Primary Containment Leaks within the drywell are dete:ted by monitoring for abnormally high pressure and temperature within the drywell, high s

' fill-up rates of equipment and. floor drain sumps, excessive temperature difference between the inlet and outlet cooling water for the drywell coolers, increased flow rate of the cooler condensate, a decrease in the reactor vessel water level, and high levels of fission products in the drywell atmosphere.

Temperatures within the drywell are monitored at various  !

elevations. Also, the temperature of the inlet and exit air to the atmosphere coolers is monitored. Excessive temperatures in the drywell, increased drain sump filling rate, increased cooler condensate flow, and drywell high pressure are annunciated by ,

alarms in the control room and, in certain cases, cause automatic l isolation of the containment. In addition, lowThe reactor vessel water level will isolate the main steamlines. systems within .

the drywell share a common area; therefore, their leakage i detection systems are common. Each of the leakage detection systems inside the drywell is designed with a capability of  ;

detecting leakage less than established leakage rate limits.

5.2.5.1.2 Detection of Abnormal Leakace Outside the Primary Containment Outside the drywell, the piping within each system monitored for leakage is in compartments or rooms separate from other systems where feasible, so that leakage may be detected by area temperature indications. Each leakage detection system discussed in the following is designed to detect leak rates that are less than the established leakage limits. The method used to monitor for leakage for each RCPB component is given in Table 5.2-8. l

a. Ambient or Differential Room Ventilation Temp-erature - A differential temperature sensing system is installed in each room containing equipment that is part of the reactor coolant pressure boundary.

These rooms are the RCIC, RHR, and reactor water cleanup systems equipment rooms and the main steamline tunnel. {

Temperature sensors are placed in the inlet and outlet ventilation ducts. Other sensors are installed in the equipment areas to monitor ambient temperature. A differential temperature switch between each set of sensors and/or ambient temperature switch initiates an alarm and isolation when the temperature reaches a preset value.

I Annunciator and remote readouts from temperature j

sensors are indicated in the control room.

5.2-39 REV. 1 - APRIL 1985

f f

i LSCS-UFSAR

b. Containment Sump Flow Measurement - Instrumentation monitors and indicates the amount of leakage into the  ;

reactor building floor drainage system. The normal l i

L design leakage collected in the system consists of i leakage from the reactor water cleanup and CRD systems, and from other miscellaneous vents and drains. ]

c. Visual and Audible Inspection - Accessible areas ara inspected periodically. The temperature and flow i

indicators discussed previously are monitored regularly. Any instrument indication of abnormal leakage will be investigated.

d. Differential Flow Measurement (Cleanup System Only) -

)

Because of the arrangement of the reactor water cleanup system, differential flow measurement provides an accurate leakage detection method. The f flow from the reactor vessel is compared with the  !'

l flow back to the vessel. An alarm in the cor. trol

) room and an isolation signal are initiated when higher flow out of the reactor. vessel indicates that ,

a leak equal to the established leak rate limit may exist.

5.2.5.2 Leak _ Detection Devices

a. Drywell Floor Drain Sump Measurement - The normal design leakage collected in the floor drain sump consists of leakage from the control rod drives, valve flange leakage, floor drains, chilled cooling .

water system, and drywell cooling unit drains. f

b. Drywell Equipment Drain Sump - The equipment drain sump collects only identified leakage. This sump receives condensate drainage from pump seal leakoff, reactor vessel heat flange vent drain, and valve packing leakoff. Collection in excess of background leakage would indicate reactor coolant leakage. I I

c. Drywell Cooler Drain - Condensate from the drywell coolers is routed to the floor drain sump and is monitored by use of a flow transmitter mounted locally while having ir.dicating and alarm instrumentation in the control room. An adjustable alarm is set to annunciate on the condensate flow rate approaching the technical specification limit.

d. Drywell Pressure Measurement - The drywell is at a slightly positive pressure during reactor operation.

The pressure fluctuates slightly as a result of barometric pressure changes and outleakage. A pressure rise above the normally indicated values 5.2-40 REV. 0 - APRIL 1984

I LSCS-UFSAR '

)

will indicate the presence of a leak within.the drywell.

e. . Devve11 Tennerature Measurement - The drywell cooling system circulates the drywell atmosphere.through heat exchangers.(air coolers) to maintain the drywell at its designed operating temperature.and also provides cooling water to the air coolers. An increase in a drywell atmosphere temperature would increase the I temperature rise in_the chilled. cooling water passing 4 'through the coils of the air coolers. Thus, an

]

increase in the. chilled cooling water temperature difference between inlet and outlet to the air coolers-will indicate the presence of reactor coolant. l orl steam leakage. Also, a drywell ambient temperature rise will indicate the presence'of reactor coolant or steamLleakage. A temperature rise in the drywell is detected by monitoring.the drywell temperature at various elevations, the inlet-and .,

outlet air to the coolers, and.the chilled cooling water temperature increase'between inlet and outlet to the coolers. .

f. Drywell Air Samplina - The drywell air sampling system is used to supplement the temperature, pressure'and flow variation method (described previously) and to detect leaks in the nuclear system process barrier. The system continuously monitors the drywell atmosphere for airborne radioactivity.

The sample is drawn from the drywell. A sudden increase _of activity,:which may be attributed'to steam or reactor water leakage, is annunciated in the control room. (Refer to Subsection 7.6.2.2.) l 1

Table 5.2-8 summarizes the actions taken by each leakage detection function. The table shows that those systems which. detect gross leakage initiate-immediate automatic isolation. The systems which are capable of detocting small leaks initiate an alara in the control room. The operator can manually isolate the violated system or take other appropriate action.

g. Reactor Vessel Head Closure - The're' actor vessel head closure is provided with double seals with a leakoff.

connection between seals that is piped through a normally closed manual valve to the equipment drain E _susp. Leakage through the first seal is annunciated i in the control room. When pressure between the seals increases, an alara in the control room is actuated.

The second seal then operates to contain the vessel pressure.

5.2-41 REV. 1 - APRIL 1985

LSCS-UFSAR l-l l

h. Reactor Water Recirculation Puno Seal - Reactor water l

' recirculation pump seal leaks are detected by monitoring the drain line. Leakage, indicated by high flow rate, alarms in the control room. Leakage is piped to the equipment drain sump. (See the nuclear boiler reactor recirculating P&ID, Drawing Nos. M-93 (sheets 1 & 2) and M-139 (sheets'1 & 2).

i. Safety / Relief Valves - Temperature sensors connected to a multipoint recorder are provided to detect safety / relief valve leakage during reactor operation. j safety / relief valve temperature elements are mounted, using a thermowell, in the safety / relief valve j discharge piping several feet from the valve body.

Temperature rise above ambient is annunciated in the to main control room. (See the nuclear boiler and r ng6J 1

reactor recirculating P&ID, Drawing Nos. M-55, M-ll6 (sheet 1), M-2055, (sheets 1 and 3), and M-2116 gf,g (sheets 1 and 3). J

j. Valve Packino Leakace - Valve stem packing leaks of h.e -

certain power-operated valves in the nuclear boiler f 6,3 ,

system, reactor water cleanup system, high-pressure review l i core spray, reactor core isolation cooling system, residual heat removal system, and recirculation system are detected by monitoring packing leakoff for high temperature and are annunciated by an alarm in the control room. l 5.2.5.3 Indication in Control Room Leak detection methods are discussed in Subsection 5.2.5 1.

Details of the leakage detection system indications are .ncluded j

l in Subsection 7.6.2.2.  ;

5.2.5.4 Limits for Reactor Coolant Leakace 5.2.5.4.1 Total Leakace Rate The total leakage rate consists of all leakage, identified and unidentified, that flows to the drywell floor drain and equipment drain sumps. The criterion for establishing the total leakage rate limit is based on the makeup capability of the RCIC systems normal a-c power, and and is independent the emergency of the feedwater core cooling systems. system,Thetotalleakageratelimithhf)i is at 25 gpm per Technical Specifications. 9gg3 nus \

5.2.5.4.2 Normally Expected Leakace Rate and other seals in systems The pump packing glands, valve stems, that are part of the reactor coolant pressure boundary and from which normal design leakage is expected are provided with drains or auxiliary sealing systems. Nuclear system valves and pumps inside the drywell are equipped with double seals. Leakage from 5.2-42 REV. 1 - APRIL 1985

LSCS-UFSAR the primary recirculation pump sea'.s is piped to the equipment drain sump as described in Subsection 5.2.5.2. Leakage from the main steam safety / relief valves is identified by temperature sensors that transmit to the control room. Any temperature increase above the drywell ambient temperature detected by these sensors indicates valve leakage. Leakage from the reactor vessel head flange is also monitored (Subsection 7.6.2.2.). l Thus, the leakage rates from pumps, valve seals, and the reactor vessel head seal are measurable during plant operation. These leakage rates, plus any other leakage rates measured while the drywell is open, are defined as identified leakage rates.

1 5.2.5.5 Unidentified Leakace Inside the Drywell 5.2.5.5.1 Unidentified Leakace Rate The unidentified leakage rate is the portion of the total leakage rate received in the drywell sumps that is not identified as previously described. A threat of significant compromise to the nuclear system process barrier exists if the barrier contains a crack that is large enough to propagate rapidly (critical crack length). The unidentified leakage rate limit mbst be low because of the possibility that most of the unidentified leakage rate might be emitted from a single crack in the nuclear system process barrier.

An allowance for leakage that does not compromise barrier integrity and is not identifiable.is made for normal plant j operation.  !

The unidentified leakage rate limit is at 5 gpm per Technical f h g Specifications to allow time for corrective action before the "**

process barrier could be significantly compromised. This 5-gpm i unidentified leakage rate is a small fraction of the calculated l flow from a critical crack in a primary system pipe (Figure ggig j 5.2-11). T5d 5.2.5.5.2 Lenath of Throuch-Wall Flaw l Experiments conducted by GE and Battelle Memorial Institute (BMI) l (Reference 4) permit an analysis of critical crack size and crack  ;

l opening displacement. This analysis relates to axially oriented through-wall cracks. l Critical Crack Lenoth Both the GE and the BMI test results indicate that theoretical fracture mechanics formulas do not predict critical crack length, but that satisfactory empirical expressions may be developed to fit test results. A simple equation which fits the data in the range of normal design stresses (for carbon steel pipe) is: I lc = 15000D (data correlation on Figure 5.2-12) (5.2-1) l UR 5.2-43 REV. 1 - APRIL 1985

LSCS-0FSAR )

where E c = critical crack-length (inches),

D = mean pipe diameter (incher), and UR = nominal 1 hoop stress (psi).

Crack Opening Displacement 1The. theory of elasticity predicts a crack opening displacement of:.

w = 2 E0 (5.2-2)

E Where:

E = crack length, c = applied' nominal stress, and E = Young's Modulus.

Measurements of crack opening displacement made.by BMI show that local yielding greatly increases the crack opening displacement as the applied stress. approaches.the failure stress . A suitable correction factor for plasticity effects is:

(5.2-3)

C=sec{h- f The crack opening areafis given by:

2 A='ChWE'="E2E sec -2" o U (5.2-4) f '

For a given crack length E,og = 15,000 D/t.

Leakace Flow Rate The maximum flow rate for blowdown of saturated water at 1000 psi is 55 lb/sec-in 8, and for saturated steam the rate is 14.6 lb/sec-ina (Reference 5). Friction in the flow passage reduces this rate, but for cracks leaking at 5 gpa (0.7 lb/sec), the effect of friction is'small. The required leak size for 5-gpm flow is:

A = 0.0126 ina (saturated water) and I. = 0.0475 in* (saturated steam).

From this mathematical model, the critical crack length and the 5-gpa crack length have been calculated for representative BWR pipe size (Schedule 80) and pressure (1050 psi).

5.2-44 REV. 0 - APRIL 1984

/

l - -- -_ _

LSCS-UFSAR The lengths of.through-wall cracks that would leak at the rate of 5 gpa given as a function of wall thickness and nominal pipe size are:

Nominal Pipe Average Wall Crack E, (inches)

Size (Sch 80), inches Thickness, inches Steamline Waterline 4 0.337 7.2 4.9 12 0.687 8.5 4.8 24 1.218 8.6 4.6 The ratios of crack length, t, to the critical crack length, E c' as a function of nominal pipe size are:

Nominal pipe Ratio OE c

_ Size (Sch 80), inches Steamline Waterline 4 0.745 0.510 12 0.432 0.243 24 0.247 0.132 It is important to recognize that the failure of ductile piping with a long through-wall crack is characterized by large crack opening displacements which precede unstable rupture. Judging from observed crack behavior in the GE and BMI experimental programs involving both circumferential and axial cracks, it is esticated that leak rates of hundreds of gpm will precede crack instability. Measured crack opening displacements for the BMI experiments were in the range of 0.1 to 0.2 inch at the time of incipient rupture, corresponding to leaks of the order of 1 in8 in size for plain carbon steel piping. For austenitic stainless steel piping, even larger leaks are expected to precede crack.

instability, although there are insufficient data to permit quantitative prediction.

The results given are for a longitudinally oriented flaw at  ;

normal operating hoop stress. A circumferentially oriented flaw could be subjected to stress as high as the 5500 F yield stress, assuming high thermal expansion stresses exist. A good mathematical model which is well supported by test data is not available for the circumferential crack. Therefore, it is assumed that the longitudinal crack, subject to a stress as high as 30,000 psi, constitutes a worst case with regard to leak rate versus critical size relationships. Given the same stress level, differences between the circumferential and longitudinal orientations are not expected to be significant in this comparison.

5.2-45 REV. 0 - APRIL 1984

LSCS-UFSAR Figure 5.2-11:shows general relationships'between crack length,

. leak rate, stress, and line size, using the mathematical model described previously. The asterisks denote conditions'at which the crack opening displacement is 0.1 inch, at which time instability is imminent as noted previously under " Leakage Flow Rate . "- This provides a realistic estimate of.the leak rate to be i expected from a crack of critical size. In every case, the' leak

. rate from a, crack of critical size is significantly greater than the 5-gpa criterion.

522.5.5.3 'Marains of Safety' The margins of safety for a detectable flaw to reach critical

' size are. presented in Subsection 5.2.5.5.3. Figure 5.2-11 shows general relationships between crack length, leak rate, stress, and line size using the mathematical model.

5.2.5.5.4 Criteria to Evaluate the Adecuacy and Marain of the Leak-Detection System For process lines that are normally open, there are atoleast two

-different methods of-detecting abnormal leakagectrenaeach sysses within the nuclear system process barrier locateduintthe dryuellv, coactor building, andl auxiliary building, as'shown~in-Table, 5.2-8. The instrumentation is designed so it can be set to provide alarms at established leakage rate limits and isolate the affected system, if necessary. The alarm points are determined analytically or based on measurements'of appropriate _ parameters made during startup and preoperational tests.

The unidentified leakage rate limit is based, with an adequate margin for-contingencies, on the crack size large enough to4

' propagate rapidly. The established limit is sufficiently low so -

that, even if_the entire unidentified leakage rate were coming  !

from a single crack in the nuclear system process barrier, corrective action could be taken before the integrity of the barrier would be threatened with significant compromise.

The leak detection system satisfactorily detects unidentified-leakage of 5 gym.

Sensitivity, including sensitivity testing and response time of the leak detection system and the criteria for shutdown if i leakage limits is exceeded, are covered in Section 7.6 and in the f

. Technical Specifications.  !

The leak detection system is discussed in Subsection 5.2.5, while  !

its subsystems, instrumentation, and operation theory are

~

i described ~in Subsection 7.6.2.2. The system component l l requirements are given in Table 3.2-1.

5.2-46 REV. 1 - APRIL 1985

- ._ ._-__--___________a

LSCS-UFSAR i

5.2.5.6 Differentiation Between Identified and Unidentified 3 Leaks l Subsection 5.2.5.1 describes the systems that are monitored by the leak detection equipment. The ability of the leak detection system to differentiate between identified and unidentified leakage is discussed in Subsections 5.2.5.1, 5.2.5.5, and 7.6.2.2. l l 5.2.5.7 Sensitivity and Operability Tests t Testability of the leakage detection syctem is contained in Section 7.6.

5.2.5.8 Safety Interfaces The balance-of-plant nuclear steam supply system safety interfaces for the leak detection system are the signals from the monitored balance-of-plant equipment and systems which are part of the nuclear system process barrier, and all associated wiring and cable lying outside the nuclear steam supply system equipment. These balance-of-plant systems and equipment include the main steamline tunnel, the safety / relief valves, and the

~

turbine building sumps.

5.2.5.9 Testino and Calibrations Provisions for testing and calibration of the leak detection System are covered in Chapter 14.0 and in the Technical Specifications.

5.2.6 References

1. R. Linford, " Analytical Methods of Plant Transient Evaluation for the General Electric Boiling Water Reactor," NEDO-1082, April 1973.

2. J. M. Skarpelos and J. W. Bagg, " Chloride Control in BWR Coolants," NEDO-10899, June 1973.

I

3. W. L. Williams, Corrosion, Vol. 13, p. 539, 1957.

4. M. B. Reynolds, " Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flows," GEAP-5620, April 1968.

5. F. J. Moody, " Maximum Two-Phase Vessel Blowdown from Pipes,"

APEO-4827, April 1965.

l 1

5.2-47 REV. 1 - APRIL 1985

lili:l n

IOtoecMi n N 3UeM

• Is[o _

,q gg O4 gmohqno(> Fc. o4 m4mi$* xo*H$ qo > f d%M nM>* OMN o:2 N3 0(n C MO _ _

<b">W 3ObHOaO

> > > >N >NH > > >Ns (s (n >Ns

,mypqggO yo1

• nog e t

a t R s r u _

o Tg w a _

o h T l x _

a t. F E l e W e - e t C T r h t v a Cw u g h e R o hg s i g L e rl s l

) ) i r f e r u w eF i e h 1 H e t o l H r n g (

t a l F

oe a P i a

i H e m

)

h a r ot ge g W e Ca e e r ( t p h s r n D a ar i m g rn A i e R ru H

(

h e i ie l r r 'hs 4 Ad t m o u w ps 1 T l f

a s o ae w n n n p s ir o r o C p Co e e l o

i P m PC m e t m e F DP l u / p S u r F t t

a h S hh i S P h Ce c c g gg u w g I n a a moaNnS o o i C ii q o B C i Ci U e P HH E L R P H RL C R ns,NDQa b-L l I

x x x xW x x X

x. D mne Nt'De mo x X" x x x

>e -

mn x x x X x x

=xw x x x x mto mo x x x X x x nn~n _

meaES no

t x x x x

=n n mo x b7enX <>H<8a-

=. tem r no

t x

x x x xH

• x n o9DCM b7enX <>H<2te vo e.neM bD:H3HGn * - E xoe x x

• x wt o _

noe% x *

,eeGC9ee mn x x x x T

o:enX <DH<ete- mo t x^ x nMoMZO mn e *1 MN 9WMM noDnDt*5a 5 no* t nwo en nooY $e C$en _

x. e Me nom UCrHOtDena-

> aeeN nc e nH DCt w e reoEa n o3 o

tHeD &0*sdenMa>9 n on meot e e8$n ECH rao5t* e tre:e m<mt $.

r r r toe

• amt$terg ,7y3 C

, yI

m. >HM s0.e9t a

o t&nyDD

$e %nyae" e:> e " no3o# .

r Oete

. a e0 6o aeeann emx9ca ee gemes g7$ e N>"r r mW3 e rd a en -

m. HD M D 9oOe oDP<*=

.. >H> o3e4 s

ane>9 aSpeV~-

) s o8 >MNHM 8

)

glpDUM **

t 0

• t- W 0 D.

!lfI L

y . _ _ , _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _

800 -

24 in. LINE e

400 -

4i 200 -

Nn.LINE ,

j 3

2

. .2 ,1[ ]

2 N J m -

).a

• P so . R

- 2

}' so -

I W

ua

- n -

15 -

10 -

0 ~

1. AX1 ALLY ORIENTEO C14fiCM +

6 SATURATED WATER SYSTEM S - AT 1000 peg 8 ASTERtSKS DENOTE CRACK OPENING OF 0.1 in.

4 -

2 -

I I  ! l  ! I I t iI I  !

A 8 12 16 20 24 28 32 38 O

CRACK LENGTH Ga.)

LA S ALLE COUNTY ST ATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 5.2-11 CALCULATED LEAK RATE AS A FUNCTION OF CRACK LENGTH AND APPLIED HOOP STRESS REV. 0 - APRIL 1984

i i

e I LSCS-UFSAR l

1.3.2 ' Primary containment and Reactor Vessel Isolation Control Instrumentation and control "l.3.2.1 Desian Bases The followi.ng safety. design bases have been implemented in the primary containment and reactor vessel isolation control system:

a. To limit the release of radioactive materials to the environs, the primary containment and reactor vessel isolation control system shall, with precision and reliability, initiate timely isolation of penetrations through the primary contairunent whenever the values of monitored variables exceed preselected operational limits.

b. To provide assurance that important variables are monitored ,

with a precision sufficient to fulfill safety design basis l a, the primary containment and reactor vessel isolation control system shall respond correctly to the sensed variables over the expected design range of magnitudes and rates of change.

c. To provide assurance that important variables are monitored to fulfill safety design basis a, a sufficient number of .

sensors shall be provided for monitoring essential variables,

d. To provide assurance that conditions indicative of a failure of the reactor coolant pressure boundary are detected to fulfill safety design basis a, primary containment and reactor vessel isolation control system inputs shall be derived from variables that are true, direct measures of operational conditions.

e. The time required to close the main steamline isolation valves shall be short so as to minimize the loss of coolant from a steamline break.

E%g CEuI f. The time required to close the main steam valves shall not O

hQ be so short that inadvertent isolation of steamlines causes a transient more severe than that resulting from closure of

$Q E2gh the turbine stop valves coincident with failure of the i gy$cu) o ~

turbine bypass system. This ensures that.the main steam isolation valve closure speed is compatible with the ability Y g-Zo u. j < of the reactor protection system to protect the fuel

• • • • • • 'Y ""* *"* ' ' ""* *""" ' ""d*'Y-

' O$"5k"O o$

Ug g. To provide assurance that the closure of automatic isolation CE valves is initiated when required to fulfill safety design

) $NO g: CyO Wkw basis a, the following safety design bases are specified for l.

o the systems controlling automatic isolation valves:

l

( w 2>5H0o0 W. U) i hZ JI- 1. No single failure, maintenance operation, calibration

' ] l- - J W O operation, or test to verify operational availability O shall impair the functional ability of the isolation o9djN Z I control system.

g _2 u)gy 4@

IF-O<_p-wF-u><

.} REV. 1 - APRIL 1985 7.3-25

.LSCS-UFSAR

2. The system:shall be designed so that the required number of sensors for any monitored variable exceeding the isolation setpoint will initiate automatic isolation.

3. Where a plant condition that requires isolation can be t

brought on by a failure or malfunction of a control or regulating. system, and the same failure or malfunction l

. prevents action by one or more isolation control system channels designed to Provide protection against the unsafe condition, the remaining portions of the

~

isolation control system shall meet the requirements of L ,

safety design bases a, b, c, and g.1.

4. The power supplies for the primary conta'nment i and reactor vessel isolation control system shall be arranged so that. loss of one supply cannot prevent l automatic-isolation when required. l j

5. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Return '

to normal operation'after isolation action shall l require deliberate operator action.

4 6. There shall be sufficient electrical and physical separation of wiring and piping between trip channels  ;

monitoring the same essential variable to prevent environmental. factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.

7. Earthquake ground motions shall not impair the ability of the primary containment and reactor vessel isolation ,

I control system to initiate automatic isolation.

h, The following safety design basis is specified to assure that the isolation of main steamlines is accomplished:

1. The isolation valves-in each of the main steamlines shall not rely on electrical power to achieve closure.

i

1. To reduce the probability that the operational reliability {

j of the primary containment and reactor vessel isolation control system will be degraded by operator error, the following safety design bases are specified for automatic isolation valves:

1. Access to all trip settings, component calibration ]

controls, test points, and other terminal points for  ;

equipment associated with essential monitored variables shall be under the control of plant operations j supervisory personnel. i i

LSCS-UFSAR

2. The means for bypassing trip channels, trip logics, or ,

system components shall be under the control of the ]

control room operator. If the ability to trip some essential part of the system has been bypassed, this I fact shall be continuously indicated in the control room.

j. To provide the operator with a means to take action that is independent of the automatic isolation functions in the event of a failure of the reactor coolant pressure boundary,  ;

it shall be possible for the operator to manually initiate isolation of the primary containment and reactor vessel from the control room.

k. The following bases are specified to provide the operator with the means to assess the condition of the primary  ;

containment and reector vessel isolation control system and l i

to identify condition:s indicative of a gross failure of the i reactor coolant pressure boundary:

1. The primary containment and reactor vessel isolation control system shall be designed to provide the '

operator with information pertinent to the status of the system. ,

2. Means shall be provided for prompt identification of trip channel and' trip system responses.

1. It shall be possible to check the operational availability of each trip channel and trip logic during reactor operation.

The specific safety requirements met by the primary containment and reactor vessel isolation control system instrumentation and controls are shown in Tables 7.1-2 and 7.1-4.

7.3.2.2 system Description The primary containment and reactor vessel isolt tion control system includes the sensors, channels, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment, reactor vessel, or both.

The purpose of the system is to prevent the release of significant amounts of radioactive materials from the fuel and reactor coolant pressure boundary by automatically isolating the appropriate pipelines that penetrate the primary containment. The power generation objective of this system is to avoid spurious closure of particular isolation valves as a result of single failure.

7.3.2.2.1 Power Sources 1

Power for the channels and logics of the isolation control system is supplied from the two electrical buses that supply the reactor protection system trip l systems. Each bus has its own motor-generator set and can receive alternate l

l l power from the preferred power source. Each bus can be supplied from only one ]

l l

I i

1

_ a

LSCS-UFSAR of its power sources at any given time. Motor-operated isolation valves receive power from emergency buses. Power for the operation of two valves in i'

~ a line is supplied from separate or dif ferent sources. Table 8.1-1 lists the power supply for each isolation valve, and discussions of these power supplies l are given in Section 8.1 and 8.3.

j 7.3.2.2.2 EauiDment Desian Pipelines that penetrate.the primary containment and directly communicate with the reactor vessel generally have two isolation valves, one inside the primary containment and one outside the primary containment. These automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the reactor coolant pressure boundary.  !

Power. cables run in raceways from + electrical source to each motor-operated isolation valve. Solenoid valve power goes from its source to the control ~

devices for the valve. The main steamline isolation valve controls inclu'de ,

I pneumatic piping and an accumulator for those valves that use air as the emergency motive power source. Pressure, temperature, and water level sensors are mounted on instrument racks in the secondary containment. Turbine stop i valve position switch, control valve fast closure trip devices, and condenser vacuum switches are located in the turbine building on turbine equipment.

valve position switches are mounted on motor and air-operated' valves. ,

Switches are encased to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room. I All signals transmitted to the control room are electrical; no pipe from the nuclear system penetrates the control room. The sensor cables and power supply cables are routed to cabinets in the control or electrical equipment rooms, where the logic arrangscents of the aystem are formed. The vent and

. purge valve solenoid valves are powered from the MCC from which the original limitorques were powered.

7.3.7.2.3 Initiatina cirquilp During normal piant operation, the isolation control system sensors and trip i controls that are essential to safety are energised. When abnormal conditions are sensed, trip channel sensor contacts open eausing contacts in the trip logic to open and thereby initiating isolation. Loss of both power supplies j also initiates isolation. Loss of instrument air pressure will not prevent the closure of the vent and purge valves if a closure signal occurs.

For the main steamline isolation valve control, four channels are provided for each measured variable. One channel of each variable is connected to a particular logic in order to maintain channel independence and separation.

One output of th; inboard logic actuator is used to control one solenoid of i the inboard and outboard valves of all four main steamlines, and one output of i the outboard logic actuator is used to control the other solenoid of both inboard and outboard valves for all four main steamlines.

Each main steamline isolation valve is fitted with two control solenoids. For l each valve to close automatically, both of its solenoids must be deenergized.

Each solenoid receives inputs from two logics, and a signal from either can cause deenergization of the solenoid.

The main steamline drain valves and reactor water sample valves also operate in pairs. The inboard valves close if both the MSIV intoard isolation logics are tripped. The inboard valves close if two of the main steamline isolation-logics are tripped, and the outboard valves close if the other two logics ars tripped.

7.3-28 REV. 3 - APRIL 1987

LSCS-UPSAR The reactor water cleanup system, residual heat removal system, and reactor water sample isolation valves are each controlled by two logic circuits, one for the inboard valve and a second for the outboard valve.

The control system for the automatic isolation valves is designed to provide closure of valves in time to minimize the loss of coolant from the reactor and prevent the release of radioactive material from the containment. A secondary design function is to prevent uncovering the fuel as a result of a break in those pipelines that the valve isolates and thereby restrict the release of radioactive material to levels below the guidelines of published regulations.

Sensors providing inputs to the primary containment and reactor vessel isolation control system are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems.

Channels are physically and electrically separated to reduce the probability that a single physical event will prevent isolation. Redundant channels for one monitored variable provide inputs to different isolation trip systes:.

Table 7.3-2 lists instrument characteristics.

The isolation trip settings of the reactor vessel isolation control system are listed in Table 7.3-2. The safety design bases of these isolation signals are discussed in the following paragraphs.

7.3.2.2.3.1. Reactor Vessel Low Water Level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach in any of the pipelines in which the valves are contained, conserve reactor coolant by f closire off process lines, or prevent the escape of radioactive materials from i

the primary containment through process lines that communicate with the primary containment interior.

j Two reactor vessel low water level isolation trip settings are used to

( complete the isolation of the: primary containment and the reactor vessel. The first (and higher) reactor vessel low water level isolation trip setting initiates closure of RKR system valves. The main steamlines are left open to allow the removal of heat from the reactor core. The second (and lower) reactor vessel low water lev.el isolation trip setting completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other valves that must be closed to isolate process lines.

The first low water level setting (which is the RPS low water level scram setting) was selected to initiate isolation at the earliest indication of a I

possible breach in the reactor coolant pressure boundary, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following pipelines is initiated when reactor vessel low water level falls to this first setting:

1

\

\

a a m _ _ _ _ _ _ _ . . _ _ _ . _ _ _ _ _ _ _ _ _ _ _

LSCS-UPSAR

a. RHR' reactor shutdown cooling supply,

b. RHR reactor head spray. and

c. RHR shutdown cooling discharge to radwaste.

The second.(and lower) of the reactor vessel low water level isolation settings-(the:same water level setting at which the RCIC. system is placed in operation) was selected low.enough to allow the, removal of heat from the reactor for a predetermined time following the scram and high enough to complete' isolation in time for.the operation of emergency core cooling systems in the. event of,a large break in.the reactor coolant pressure boundary.-

Isolation of the following pipelines is initiated when the reactor vessel water level falls'to this second setting:

a. dll four main steamlines,

b. main steamline drain,

c. reactor water sample line,

d. reactor water cleanup,

e. drywell floor and equipment drains,

f. containment monitoring,

g. primary containment purge,

h. drywell instrument air,

i. reactor building closed cooling water system, J. primary containment chilled water, and

k. recirculation flow control valve hydraulic lines.

Reactor vessel low water level signals are initiated.from eight differential l pressure switches. They sense the difference between the pressure caused by a constant reference leg of water and the pressure caused by the actual water level in the vessel. Each switch has one set of contacts which are used to effect isolation functions. Four of the switches are used to indicate that water level has dropped to the first (higher) low water level. isolation setting. . The remaining four indicate that water level has dropped to the second (lower) low water level isolation setting.

L 'Four pairs of instrument sensing lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement and terminate outside the drywell and inside the containment, They are physically separated from each other and tap off the reactor vnnsel at widely separated points. This arrangement assures that no single physical event'can prevent isolation if it is required.

i 1

1 7.3-30 REV. 3 - APRIL 1987 I _____- -__- __ - ___ a

i LSCS-UPSAR 7.3.2.2.3.2 Main Steamline High Radiation High radiation in the vicinity of the main steamlines could indicate a gross release of fission products from the fuel. High radiation near the main steamlines initiates isolation of the following pipelines:

a. all main steamlines,

b. main steamline drain, and

c. reactor water sample line.

The high radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to detect promptly a gross release of fission products'from the fuel. Detailed discussion of the main steamline radiation monitoring subsystem is presented l in Subsection 7.6.1.1.

1.3.2.2.3.3 Main steamline space High Temperature and Differential Temperature i

High temperature in the space in which the main steamlines are located outside of the primary containment could indicate a breach in a main steamline. Such  ;

a breach may also be indicated by high differential temperature between the . l

?

outlet and inlet ventilation air for this steamline space. The automatic closure of various valves prevents the excessive loss of reactor coolant and the release of significant amount of radioactive material from the reactor coolant pressure boundary. When high temperatures occur in the main steamline space, the following pipelines are isolated:

l

a. all four main steamlines, and

b. the main steamline drain.

The main steamine space high temperature trip is set far enough above the temperature expected during operation at rated power to avoid spurious isolation, yet low enough to provide early indication of a steamline break.

Ambient high temperature in the vicinity of the main steamlines is detected by dual element thermocouple located in the tunnel. Dual element thermocouple are also located at the inlet to the steam tunnel and at the outlet to the steam tunnel. These thermocouple measure the temperature difference through the steam tunnel. The temperature elements are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment.

The main steamline space temperature detection system is designed to detect leaks of from 1% to 10% of rated steam flow.4 7.3.2.2.3.4 Main steamline High Flow Main steamline high flow could indicate a break in a main steamline.

Automatic closure of various valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the reactor coolant pressure boundary. On detection of main steamline high flow, the following pipelines are isolated:

i LSCS-UFSAR

a. all four main steamlines, and

b. the main steamline drain. f l

The main steamline high flow trip setting was selected high enough to permit "

isolation of one main steamline for test at rated power without causing an automataic isolation of the other steamlines, yet low enough to permit early detection of a steamline break.

High flow in each main steamline is sensed by four indicating type differential pressure switches that sense the pressure difference across the flow element in that line.

7.3.2.2.3.5 Low Steam Pressure at Turbine Inlet Low steam pressure at the turbine inlet, while the reactor is operating, could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves become fully open causing rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the allowaole rate of change of vessel temperature could exceed l

'the allowable rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in ,

undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. The occurence of such depressurizations without adequate preventive action could require thorough vessel analysis or core inspection prior to i returning the reactor to power operation. To avoid these time-consuming requirements following a rapid depressurization, the steam pressure is monitorud At the turbine inlet. pressure falling below a preselected value with the reactor in the RUN mode initiates isolation of the following ,

pipelines:. I

a. all four main steamlines, and

b. the main steam drain line.

j The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to Although this i

j provide timely detection of a pressure regulator malfunction. i isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of  ;

)

isolation functions. l I

~ Main steamline low pressure is sensed by four pressure switches that sense The ,

pressure downstream of the outboard main steamline isolation valves.  !

sensing point is located as close as possible to the turbine stop valves.

7.3.2.2.3.6 DrYwell High Pressure High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from the containment. On detection of high drywell pressure, the following pipelines are isolated:

1 tscs-urana y

a. drywell drains (discharge to radwaste),,

'b. -primary containment' vent and purge dampers,-

i

c. drywell instrument nitorgen, s

d. ~ containment monitoring (non-post-accident portions),

e. RHR shutdown cooling discharge to radwaste,

(

f. recirculation FCV hydraulic lines,'and

g. TIP withdrawal line.-

The'drywell high-pressure isolation setting was selected to be as low as ,

.possible without' inducing spurious isolation-trips.

Drywell pressure is monitored by four'non-indicating pressure switches that are mounted on instrument racks outside the primary containment. Instrument sensing lines that terminate in the-reactor building connect the switches with the drywell' interior.

7.3.2.2.3.7- Reactor Buildino Ventilation Exhaust-Plenum Monitor Subsystem

• The.systemLinitiates control signals in the event the radiation level exceeds i j

a predetermined level to isolate the reactor building vent system, to initiate '

the standby gas treatment system, and to close primary containment purge and vent valves. A more detailed discussion of the system is presented in subsection 7.6.1.2.

7.3.2,.2.3.8 Reactor Water Cleanup System High Differential Flow High differential flow in the reactor water cleanup system could indicate a breach of the nuclear system process barrier in the cleanup system. The-cleanup system flow at the inlet to the heat. exchanger is compared with the flow at:the outlet of the filter / demineralized. Higher flow from the vessel

' initiates isolation of the cleanup system.

7.3.2.2.3.9- Reactor Water Cleanup System Area High Temperature and Differential Temperature i

High temperature in the area of the reactor water cleanup system could s indicate a breach in the reactor coolant pressure boundary in the cleanup system. High area temperature and high differential temperature in the area ventilation system initiates isolation of the reactor water cleanup system.

7.3.2.2.3.10 RHR System Area Hiah Temperature and Differential Temperature

High temperature in the area of'the RHR system pumps could indicate a breach in the nuclear process barrier in the RHR shutdown cooling system. High area temperature and high differential temperature in the' area ventilation system initiates isolation of the RRR shutdown cooling system.

l

LSCS-UFSAR High temperature in the spaces occupied by the reactor shutdown cooling system

^ l piping and the react 6r water cleanup system piping outside the drywell is '

sensed by thermocouple that indicate possible pipe breaks. Temperature sensors in the equipment area and the inlet and outlet ventilation ducts of the RHR shutdown cooling system and the reactor water cleanup system actuate a differential temperature switch, which results in isolation.

7.3.2.2.3.11 Main steamline Imak Detection Description" The main steamlines are constantly monitored for leaks by the leak detection system (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Steamline leaks will cause changes in at least one of the following monitored operating parameters:

sensed temperature, flow rate, or low water level in the reactor vessel. If a leak is detected, the detection system responds by triggering an annunciator {

and initiating a steamline isoltion trip logic signal. Additional discussion l is presented in Subsection 7.6.2.3. l 7.3,2.2.3.12 Turbine condenser vacuum Trip In addition to the present turbine stop valve trip on low condenser vacuum instrumentation, which is a standard component of the turbine system, a main steamline isolation valve trip in the low condenser vacuum instrumentation system will be provided and will meet the safety design basis of the nuclear steam supply shutoff and primary containment isolation systems. ,

The main turbine condenser low vacuum would indicate a leak in the condenser.

Initiation of the automatic closure of various Class A valves will prevent the excess loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of turbine condenser low vacuum, the following lines are isolated:

a. all four main steamlines, and

b. the main steamline drain.

f The turbine condenser low vacuum trip setting was selected far enough above the normal operating vacuum to avoid spurious isolation, yet low enough to l

I provide an isolation signal prior to the rupture of the condenser and subsequent loss of reactor coolant and release of radioactive material.

7.3.2.2.4 Logic The basic logic arrangement is one in which an automatic isolation valve is j controlled by two trip systems. Each trip system has two trip logics, each of which receives input signals from at least one trip channel for each monitored variable. Thus, two trip channels are required for each essential monitored variable to provide independent inputs to the trip logics of one trip system.

A total of four trip channels for each essential monitored variable is required for the trip logics of both trip systems.

The trip actuators associated with one trip logic provide inputs into each of the trip actuator logics for that trip system. Thus, either of the two automatic trip logics associated with one trip system can produce a trip. The

[ logic is a one-out-of-two arrangement. To initiate valve closure the trip actuator logics of both trip systems must be tripped. The overall logic of the system could thus be termed one-out-of-two taken twice.

LSCS-UFSAR This type of logic is used to control the main steamline isolation valves (MSIV). The four logic strings for this control are shown in Figure 7.3-9.

The variables that initiate automatic closure of the MSIV's are:

a. Iow-low reactor water level, I

b. high main steamline radiation, l

c. high main steamline flow,

d. high main steamline tunnel temperature,

e. high main steamline tunnel differential temperature, j

f. low turbine throttle pressure in RUN mode,

g. main condenser low vacuum (bypassable when not in RUN mode and main turbine stop valves closed).

The logic actuator outputs used to control the main steamline drain valves and reactor water sample valves could be termed two-out-of-two, applied to each valve. The logic strings for this control are shown in Figure 7.3-10.

Other isolation valves are controlled by drywell high pressure and reactor low water level signals. In this arrangement, two drywell pressure sensors are combined with two water level sensors to form a " hybrid" one-out-of-two twice network. These same drywell pressure and water level logics are used with process radiation monitor upscale and inoperative signals to produce other isolation actions, including initiation of the standby gas treatment system.

The reactor water cleanup isolation valves are controlled by two logics, using high flow, high area temperature, high area differential temperature, and low water level signals.

7.3.2.2.5 Bypasses and Interlocks An automatic bypass of the main steamline low-pressure signal is effected in l

the startup mode of operation (see Subsection 7.3.2.2.3.).

Interlocks ;re provided from position switches on the drywell drain sumps to the radwaste system to turn off the drywell drain sump pumps if the isolation valves close.

7.3.2.2.6 Redundancy and Diversity f

The variables which initiate isolation are listed in Subsection 7.3.2.2.3.

Also listed there are the number of initiating sensors and channels for the isolation valves.

7.3.2.2.7 Actuated Devices subsection 6.2.4.2 itemizes the type of closing device provided for each isolation valve. To prevent the reactor vessel water level from falling below the top of the active fuel as a result of a pipeline break, the valve closing mechanisms are designed to meet the minimum closing rates also specified in Subsection 6.2.4.2.

I

LSCS-UFSAR I

The vent and purge isolation valves are spring closing, pneumatic, piston-operated butterfly valves. Loss of instrument air will not prevent the closure of the vent and purge valves if a closure signal occurs. This is a

? ail safe design. The control arrangement is shown in Figure 7.3-13. Closure et the valve is less than 10 seconds. Each valve is controlled by one 3-way ASCO direct acting solenoid valve, powered by AC. The main steamline isolation valves are spring-closing, pneumatic, piston-operated valves. They close on loss of pneumatic pressure to the valve operator. This is a fail-safe design. The control arrangement is shown in Figure 7.3-11. Closure time for the valves is adjustable between 3 and 10 seconds. Each valve is piloted by two three-way, packless, direct-acting, solenoid-operated pilot valves, both powered by a-c. An accumulator located close to each isolation valve provides pneumatic pressure for valve closing in the event of failure of the normal air supply system.

The sensor trip channel and trip logic relays for the instrumentation used in the systems described are high reliability relays. The relays are selected so that the continuous load will not exceed 50% of the continuous duty rating.

Table 7.3-6 lists the minimum numbers of trip channels needed to ensure that the isolation control system retains its functional capabilities.

7.3.2.2.8 Separation 2

Sensor devices are separated physically such that no single failure (open, closure, or short) can prevent the safety action. By the use of conduit and separated cable trays the same criterion is met from the sensors to the logic cabinets in the control room. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same bay of a cabinet.

Redundant equipment and wiring may be present in control room bench boards, for separation is achieved by surrounding' redundant wire and equipment in metal encasements (a bay is defined by adequate fire barriers). From the logic cabinets to the isolation valves, separated cable trays or conduit are employed to complete adherence to the single-failure criterion.

7.3.2.2.9 Testability )

i The main steamline isolation valve instrumentation is capable of complete testing during power operation. The isolation signals include low rea, tor water level, high steamline radiation, high main steamline flow, high main steamline tunnel temperature, low condenser vacuum, and low turbine pressure. l The water level, turbine pressure, and steamline flow sensors are pressure or j differential pressure type sensors which may be valved out of service one at a j time and functionq11y tested using a test pressure source. The radiation l measuring amplifier is provided with a test switch and internal test source by j which trip availability may be verified.

• Functionsi operability of the temperature switches may be verified by applying l a heat source to the locally mounted temperature sensing elements. Control room indications include annunciation, panel lights, and computer printout.

The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable. In addition, the functional availability of each isolation valve may be confirmed by completely or partially closing each valve individually at reduced power using test switches located in the control room.

The cleanup system isolation signals include low reactor water level, high I equipment area ambient temperature and differential temperature, high differential flow, high temperature downstream of the nonregenerative heat exchanger, and standby liquid control system actuation. The water level 7.3-36 REV. 3 - APRIL 1987

LSCS-UPSAR sensor is of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The temperature switches may be functionally tested by removing from service and applying a heat source to the temperature-sensing elements. The differential flow switches may be tested by applying a test input. The various trip actuations are annunciated in the control room. Also, valve indicator lights in the control room provide indication of cleanup isolation valve position.

7.3.2.2.10 Environmental considerations The physical and electrical arrangement of the primary containment and reactor vessel isolation control system was selected so that no single physical event will prevent achievement of isolation functions. Motor operators for valves inside the drywell are of the totally enclosed type; those outside the containment have weatherproof enclosures. Solenoid valves, whether used for direct valve isolation or as air pilots, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated (see Tables 3.11-1 and 3.11-2).

Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high-radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration has been given to isolation requirements during a ,

loss-of-coolant accident inside the drywell. Components of the primary containment and reactor vessel isolation control system that are located inside the drywell and that must operat'e during a loss-of-coolant accident are the cablesz control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss-of-coolant iccident environment. Electrical cables are selected with insulation designes for this service. Closing mechanisms and valve operators are considered satisitetory for use in the isolation control system only after completion of environmental testing under loss-of-coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

7.3.2.2.11 operational considerations The primary containment and reactor vessel isolation control system is not required for normal operation. This system is initiated automatically when one of the monitored variables exceeds preset limits. No operator action is required for at least 10 minutes.

All automatic isolation valves can be closed by manipulating switches in the main control room, thus providing the operator with control which is independent of the automatic isolation functions. j In general, once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate (from the main control room) those pushbuttons which reset the isolation logic and also the switches and/or pushbuttons for individual valves that have been automatically closed in order to reopen them. With the exception of drywell equipment drain sump outlet and the return line valves and the drywell equipment drain sump outlet valves which are provided with l

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ __________o

CE 0 0 0 1 '0 5 9 1 o I G 2 + 5 6 t 0 1 1 2 -

VN 6 1 1 /

- - 1 -

EA - - - 0 0 2 o DR 2 0 0 /

• 5 0 0 8. g . s

. 0 3 0H 0 0 t 1 2 1 5 -

0 -

S I

S AE i i .

BC s i s n

- N i p s n p NA s p i i GW p F F 0  % 2 0 I O 2  % 0

6. g 2 S

Et L. . 0 0

• 3 0l i 1 0 7 1 2 1 6 DA 0 N

)

O t e

I d

s .

d a

T t i

p n A e i s s F n s R p p i i

B p F,

• 4 e

I 4 5 3 0 0 n 0 5 .g 4 L 0 1

• 0 2 u

A 0i l 2

+

2 3 0 1 0 r C 0 l

o f

Y i d . e .

C o i l n p n d p s e i e

A p p i 4

R F F n .

U 4 3 4 0 0 gs t 0 5 .g 0 iw C 0 *

• C 0 3 0 2 3 0H 1 0 6 so A 0 2 el dl e

S eb RI r OS g amg A g d C5T g l . ) a I - I i i l e n sr s o e p i rh TNM p p p ep YGI 0 0 t a Lt L 5 3 7 ti AS 0 2 NE a 2 8 1 * * *

• 2 - id AD 2 D m so

) nt 3 E a 2 U re

- F t g L a 3O A V 1 g Pm 73 1 - A a E g 1 n r l d

u g d h e .

ET L l t o l p n d LE B e f r

l e e y r n / nt BE A p R i au xrg p p i 9

AI I W

• m o TS( O L

L 9

8 6.

ek wc oa 4

3 6

1 6

4 8

2 .

4 3 p-5 5

5 1

8 1

7 5

sh et hi 1

A 1 3 pb 8 1 cw t

ig T wi N ssp I

t d g O r i l

P g i n e0 i u u g d h s .

v0 T o i l

/ p n E e f s e F F e0 S p r . R i l 2 xrg p p p e 9 ek

o. n 6 0

(

P 9 0 g i .

o I 6 wc 4 1 4 3g 0 5 st R 0. oa 5 1 1 1 7 1 1 - r T L 1 pb 8 op su t n h e ef g t v so n i s h e ey h o e H e w u o L rt g i r t -

o t a i ui t u -

L n h H r i

s e h e sl H a n q e x si i s w - m E - t eb

- d e o i ah s

iq i

N n a2 r a

, a r l m i g e W9 pp e R P F T! - u a n r a N t u ll T r e e en- e u t i s ee l c I u en s n n me c a n o

d 1 s sv a N i i 1 t e se i n U s i i l l e 1 s i V C 1 r eL t o e l l i c r et uh ni L r m s

m a

m a nu aa r y r

Bg P v, et A P e e e et ar e a rH i

rw ra N

t t t t a t e s n d o l

l oo ez O l S S Sr Sp e tt f i I l Sh e m e n t - f r T e g w n np ne d o c w c- u C w nil no l T n c ad y av i ds N y i iL a

i i m a ae a s& o e ea RR r

D eo RL s U r a f e C S ee F O M- M- M MT air

) )

) ) Tp

) ) 5 7 8

) ) )

3 4  % 6 2 1 2 2 2 2

• 9 0 2 2 2 ( (

I 2 2 ( ( ( (

( ( (

t

i LSCS-UPSAR 7.6.1.3.1.2 Power Generation Desian Bases The subsystem provides an indication in the control room of the gross gamma radiation level and provides the recorder signal.

7.6.1.3.2 Description The fuel pool vent plenum radiation monitoring subsystem is identical to the reactor. building ventilation exhaust plenum monitoring subsystem, which is i discussed in Subsection 7.3.2.2.3.

7.6.1.3.3 hlygis l The analysis for the reactor building vent exhaust plenum radiation monitoring subsystem, discussed in subsection ~l.6.1.2.3 and Attachment 7.A, applies to ,

i this system since they are identical.

7.6.2 Reactor Coolant Pressure Boundary Leakage Detection 7.6.2.1 e Desion Bas __s 7.6.2.1.1 Safety Design Bases The safety design bases for the. leak detection systems are as follows:

a. Signals are provided to permit isolation of abnormal leakage before the results of this leakage become unacceptable. .j

b. The unacceptable results are as follows:

1. A threat of significant compromise to the reactor coolant pressure boundary.

2. A leakage rate in excess of the coolant makeup capability to the reactor vessel.

The part of leak detection that is related to isolation circuits is designed to meet requirements of the engineered safety feature systems and to comply with the specific regulatory requirements listed in Tables 7.1-2 and 7.1-8.

7.6.2.1.2 Power Generation Design Basis A mear.s is provided to detect abnormal leakage from the reactor coolant pressure boundary.

7.6.2.2 General System Description The instrumentation and controls associated with the leak detection system are Associated automatic valve isolating logic is discussed in Subsection 5.2.5.

defined to be part of-the containment and reactor vessel isolation control system (Subsection ~1.3.2) and RCIC instrumentation and control system (Subsection 7.4.1) and is described in those subsections.

7.6-9 REV. 1-APRIL 1985

J 1

LSCS-UFSAR r

The safety-related portions of the leak detection system perform the following functions: )

a.. Main Steamline Leak Detection.

b. .RCIC System Leak Detection.

1

c. RHR System Leak Detection.

d. Reactor Water Cleanup System Leak Detection, i

Mon-safety-related portions of the leak detection system are discussed in l l

Subsection 7.7.15.

The purpose of the leak detection instrumentation and controls is to provide the signals necessary to detect and isolate leakage from the reactor coolant pressure boundary before predetermined limits are exceeded.

7.6.2.2.1 Power Sources Power separation is applicable to leak detection signals that are associated with the isolation valve systems. Four power sources are used to comply with separation criteria. Equipment associated with Division 1 is powered by -

Division 2 equipment is powered by 120-Vac 120-Vac Instrement Bus A.

Instrument Bus B.

.7.6.2.2.2 Eauipment Design The systems or parts of systems which contain water or steam coming from the reactor vessel or which supply water to the reactor vessel, and which are in direct communication with the reactor vessel, are provided with leakage detection systems as listed above (Figure 7.3-7 and Drawing Mos. M-155 and M-157).

7.6.2.2.3 Main steamline Laak Detec{.199/

The main steamline leak detection subsystem consists of three types of monitoring circuits. The first of these monitors the ambient and differential area temperature, triggering the alarm circuit and main steamline isolation The valve logic when the observed temperature rises above a preset maximum. l second circuit monitors the nass flow rate through the main steanlines and '

uses this information for comparison purposes and to trigger the alarm circuit i and close isolation valves when the observed flow rate exceeds a preset maximum. The third type of circuit detects low water level in the reactor vessel and sends a trip signal to the isolation valve logic when the level decreases below a preselected setpoint.

The ambient and differential temperature monitoring circuits consist of thermocouple, temperature switchpoint modules, selector switches, meter modules, and meters. The point modules receive their inputs from thermocouple positioned in the main steamline tunnel so that they are screened from direct incident-radiated heat and yet are still able to respond to the temperature of the ambient air. The temperature elements.are electrically connected to their respective temperature switch point modules and to temperature indicators located on a panel in the main control room (Figure 7.6-1). Ambient or differential temperatures above the setpoint Itaits will trigger an annunciator alarm, a red indicator lamp on the appropriate point module, and send a trip signal to the isolation logic.

REV. 1-APRIL 1985 7.6-10

LSCS-UFSAR The temperature switchpoint module is a solid-state device for monitoring temperature using the thermocouple as a sensor. The point module compares an amplified thermocouple input and an adjustable reference voltage (setpoint).

When the amplified thermocouple voltage exceeds the reference voltage, temperature switches and differential temperature switches are actuated. The point module output can also be switched to the meter module, which consists of a voltage follower used as a high input impedance buffer between the point module and the meter.

Each main steamline is instrumented to monitor the steam flow rate through it. The flow rate monitoring components of the main steamline leak detection system consist of a set of four differential pressure-indicating switches (DPIS) and an associated steam flow restrictor for each main steamline. The outputs of the DPI uwitches are connected to components of the primary containment and reactor vessel isolation system and give a coincidence signal for main steamline flow below the setpoint trip value.

Flow rates in excess of the predetermined setpoint will cause DPIS actuation.

i Reactor water level is monitored to indicate the presence of a steam leak.

Under conditions of normal reactor operation at constant power, reactor water level should remain fairly constant at its programmed level, since the rate of steam mass flow leaving the boiler is matched by the feedwater mass flow rate into the vessel. However, given a condition of continued steam leakage from the closed system, the reservoir of condensate to be returned to the reactor vessel decreases, and the reactor water level soon cannot be maintained.

Reactor water level is monitored by four ' level switches as part of the design l of the nuclear steam supply system in addition to the normal complement of process monitoring instruments. Reactor water level falling below the predetermined minimum allowable level will result in switch actuation and subsequent primary containment and reactor vessel isolation system response.

7.6.2.2.4 RCIC System Leak Detection Subsystem Function The steam circuits of the RCIC system are constantly monitored for leaks by a leak detection subsystem. Leaks from the RCIC will cause a change in at least one of the following monitored operating parameters: sensed area temperature, steam pressure, or steam flow rate. If the monitored parameters indicate that a leak may exist, the detection subsystem (Figure 7.3-7 and Drawing Nos. M-155 and M-157) responds by activating an annunciator and initiating a RCIC isolation trip logic signal.

l l

7.6-11 REV. 3-APRIL 1987 i

---_ ________________f

Lscs-UrsAR Theory of operatigl .

The RCIC leak detection subsystem consists of three types of monitoring circuits. The first of these monitors ambient and differential temperature to ,

trigger an annunciator when the observed temperature rises above a preset maximum. The second type monitors the flow rate (differential pressure) through the steamline and triggers an annunciator when the observed differential pressure rises above a preset maximum.- The third type of circuit i I

monitors the steamline pressure upstream of the differential pressure element and is also annunciated. Alars, outputs from all three circuits are also used l' to generate the RCIC autoisolation signal.

The area temperature monitoring circuit is similar to the one described for the main steamline tunnel temperature monitoring system (ree subsection 7.3.2.2.3.11).

The steamline from the nuclear boiler' leading to the RCIC turbine is instrumented with two sets of two differential pressure-indicating switches

. connected to measure the differential pressure created as steam flows past an  ;

j elbow in the line so that the steam flow rate through it can be monitored and '

used to indicate the pressure of a leak or break. In the presence of a leak, the RCIC system respoida by generating the autoisolation signal.

Steamline pressure to the RCIC turbine is monitored te detect gross system leaks that may occur upstream of the differential pressure element (elbow),

causing the line pressure to drop t'o an abnormally low level. This line pressure is monitored by the pressure switches which also monitor RHR  ;

steamline pressure (see subsection 7.6.2.2.5).  !

7.6.2.2.5 RHR System Leak Detection subsystem Function The steam circuits of the RHR system are constantly monitored for leaks by the 3 leak detection system (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Leaks l from the RHR system are detected by ambient and differential temperature monitoring as well as by flow rate and system pressure similar to the RCIC system. Logics from all these channels are used to generate RHR auto isolation signals and alarm communication. If the monitored parameters indicate that a leak may exist, the detection system responds by activating an annunciator and initiating a RHR isolation trip logic signal. l Theory of operation l

The RHR leak detection subsystem consists of three types of monitoring circuits. The first of these monitors ambient and differential temperature, triggering an annunciator when the observed temperature rises above a preset maximum. The second monitors the flow rate (differential pressure) through j the steamline, triggering an annunciator when the observed differential l

pressure (flow) rises above a preset maximum. The third type of circuit l monitors the line pressure upstream of the differential pressure element and I 1s also annunciated. -Alarm outputs from all three circuits are also used to generate ths RHR autoisolation signal.

l 7.6-12 REV. 1-APRIL 1985

J LSCS-UFSAR.

The area temperature monitoring circuit is similar to the one described for the main steamline-tunnel temperature monitoring system (see Subsection 7.3.2.2.3.11. and Figure 7.6-1).

i Flow >; ate monitoring'is provided on the RHR shutdown cooling return line and the RHR steamline to the RHR condensing heat exchanger. Flow rates in excess of the' predetermined maximum are indicative of a line leak or break and will generate differential pressure heads of sufficient magnitude to cause DPIS actuation. '{

I j

Process line pressure is :nonitored to detect gross system leaks that may occur upstream of the flow element, causing the line pressure to drop to an abncimally low level.' Line pressure is monitored by two pressure switches u

actuating on low pressure - l Additionally, differential pressure between RHR lines and RHR and LPCS lines is monitored by differential pressure-indicating switches to detect RHR or LPCS line break. Annunciation is provided in the main control room.

7.6.2.2.6 Reactor Watf- Cleanup System Leak Detecticn Subsystem Function I

The purpose of.this par. of the leak detection system is to monitor the reactor cleanup system components and activat.e a system annunciator should a system leak of sufficient magnitude occur. In addition to annunc'iation, a high flow comparison activates automatic isolation of the cleanup system.

Thsory of operation The reactor water cleanup (RWOU) leak detection subsystem consists of two types of monitoring circuits.

The reactor water cleanup leak detection subsystem includes an area drain monitoring system. The monitoring subsystem activates an annunciator when the drain flow exceeds a predetermined value. In addition to floor drain detection methods, leakage is also monitored by the flew comparison of water inlet and outlet flow rate.

The floor drain monitoring circuits are described in Subsection 7.7.15.2.8.

-RWCU system inlet flow is compared to RWCU outlet flow to the feedwater lines or to the main condenser. A flow element, flow transmitter, and square root converter for each of these three lines provide signals to a flow summer which trips two timers and activates an alarm at a preselected difference in flows. l After a time delay to avoid spurious trips, the time switches trip differential flow alarm units, activating isolation. Flow indication for each l of these three lines and differential flow indication are provided in the control room.

7.6-13 REV. 3-APRIL 1987

LSCS-UPSAR I

7.6.2.2.7 Testability The proper operation of the sensors and the logic associated with the leak detection systems is verified during the leak detection system preoperational test and during inspection tests that are provided for the various components during plant operation.

All temperature switches, both ambient and differential types, are connected to dual thermocouple elements. Each temperature switch can be checked for i l

operation by observing the ambient temperature or differential temperature and l then turning the trip point adjustment and determining that the switch operates at the proper temperature, Each temperature switch contains a trip light which lights when the i

temperature exceeds the setpoint. The setpoint is manually reset to its required value by observing the setpoint on the meter in the main control room. In addition, keylock test switches are provided so that the logicThus, can a be tested without sending an isolation signal to the system involved.

complete system check can be confirmed by checking activation of the isolation relay associated with each switch.

RWCU differential flow leak detection alarm units are tested by inputting a millivolt signal to simulate a high differential flow. Alarm and indicator lights monitor the status of the trip circuit.

Testing of flow, reactor vessel level, and pressure leak detection equipment is described in Subsection 7.3.2.

7.6.2.2.8 Environmental Considerations )

i '

The sensors, wiring, and electronics which are associated with the isolation valve logic are designed to withstand the conditions that follow a loss-of-coolant accident.

7.6.2.3 Analysis (

7.6.2.3.1 General Functional Requirement Conformance The part of leak detection system instrumentation that is related to the system isolation circuitry is designed to meet requirements of the primary containment and reactor vessel isolation control system.

There are at least two different methods of detecting abnormal leakage from each reactor coolant pressure boundary system within the primary containment and in each area as shown in Table 5.2-8.

The instrumentation is designed so that it may be set to provide alarms at established leakage rate limits and isolate the affected system if necessary.

The alarm points are determined analytically, based on design data and on measurements of appropriate parameters made during startup and preoperational tests. This satisfies the power generation design bases and safety design bases.

7.6-14 REV. 1-APRIL 1985 1

LSCS-UFSAR

• 1.6.2.3.2 Specific Requirement Conformance Attachment 'lh presents the system conformance to IEEE criteria and other regulatory requireaants.

7.6.2.3.3 Reaulatorv Guides This topic is discussed in Appendix B of the FSAR.

• 1.6.2.3.4 10 CFR 50 Appendix A

-criterion 13 The leak detection sensors and associated electronics are designed to monitor the reactor coolant leakage over all expected ranges required for the safety of the plant.

Automatic initiation of the system isolation action, reliability, testability, independence, and separation have been factored into leak detection design as required for isolation systems.

Criterion 19 .

Controls and instrumentation are provided in the control room.

criterion 20 Leak detection equipment senses accident conditions and initiates the containment and reactor vessel isolation control system when appropriate, criterion 21 Protection related equipment is arranged in two redundant divisions and maintained separately. Testing is covered in the conformance discussion for regulatory guides, criterion 22 Protection related equipment is arranged in two redundant divisions so no single failure can prevent isolation. Functional diversity of sensed variables is utilized.

Criterion 23 Signals provided are such that isolation logic is fail safe.

Criterion 24 The system has no control functions.

l i I ij

'l.6-15 REV. 1-APRIL 1985 l

-__ -- _ _ _ _____ _______a

l tsCs-UrsAR I f

j criterion 29 No anticipated operational occurrence can prevent an isolation.

Criterion 30  !

The system provides means for detection and generally locating the source of reactor coolant leakage. This criterion also applies to the sump, drywell, recirculating pump, and ADS leak monitoring equipment. ,

1 Criterion 33 The leak detection total leakage limitations are confined to conservative levels far below the coolant makeup capacity of the RCIC system.

Criterion 34 Leak detection is provided for the RHR shutdown cooling and RCIC lines penetrating the drywell.

Criterion 35 ECCS leak detection is augmented by the sump monitoring system portion of.the leak detection system. ECCS leaks can easily be identified by operator correlation of various flow, pressure, and reactor vessel level signals transmitted to the control room.

Criterion 54 Leak detection is provided for main steam, RCIC, RHR shutdown cooling, and reactor water cleanup lines penetrating the drywell. Sump fill rate monitoring provides leak detection for other pipes penetrating the drywell and  ;

reactor buildings.

~1.6.3 Neutron Monitoring Systen Instrumentation and Controls "J.6.3.1 General svetem Description The safety-related subsystems of the neutron monitoring system consist of the following:

a. intermediate range monitor (IRM) subsystem, and

b. average power range monitor (APRM) subsystem.

The purpose of this system is to detect excessive neutron flux in the core and provide signals to the reactor protection system and the rod block portion of l

I the reactor manual control system. It also provides information for operation and ccmtrol of the reactor.

l l

~1.6-16 REV. 1-APRIL 1985 l - - - - - - - - - _ -

w LSCS-UFSAR Analysis 7.7.14.4.3.

Ge..;;ral Functional Requirement Conformance A sensor / converter is placed in the local area, along with an auxiliary unit

~1ocal area. An indicator / trip unit is in the control roo level and to. generate alarms.

ggg,1fic Reaulatory Requirement Conformance 10 CFR 50 ADDendix A Criterion 13 The subsystem conforms to criterion 13 in that the instruments employed more <

than. adequately cover the anticipated range of radiation under normal 1 operating conditions with sufficient margin to include postulated accident conditions.

Leak Detection System Instr w itation and Controls 7.7.15 7.7.15.1 De11gn,),ggig The instrumentation and controls associated with the leak detection system are discussed in Subsection 5.2.5.

The purpose of the leak' detection instrumentation and controls is to provide the signals necessary to detect and isolate leakage from the reactor coolant pressure boundary before predetermined limits are exceeded.

F 17.7.15.2 System Description 7.7.15.2.1 Power Sources Power separation is applicable to leak detection signals that are a R with the isolation valve systems. Equipment associated with Division 1 is powered by separation criteria. Division 2 equipment is powered by 120-Vac 120-Vac Instrument Bus A.

Instrument Bus B.

7.*T.15.2.2 souionent Design i

I The systems o parts of systems which contain water direct communication with the reactor vessel, are provid M-157).

Similar items of water utilization equipment within the drywell share a common The unidentified area'and therefore a common leakage detection system. designed with a capability to

. leakage detection systems inside the drywell are detect leakage less than established leakage rate limits.  !

1

.(,

LSCS-UFSAR Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals, valve stem packing, equipment warming drains),

are contained and piped to an equipment sump and thereby identified.

Equipment associated with systems within the crywell (e.g., vessels, piping, fittings) share a common free volume and therefore common leakage detection systems. Steam or water leaks from such equipment are ultimately collected in the floor drain sumps.

Each of the sumps is protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources.

The equipment drains collecting system and area drains collecting system are designed to detect unidentified leakage in excess of 1 gpm within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

As added backup to the unidentified drain system, the main steamlines within the steam tunnel inside the secondary containment are monitored by wall-mounted temperature detectors within the tunnel. The locations of the sensors are controlled so that steam leaks in excess of 1 gpm will also be detected within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Outside the drywell, the piping within each system monitored for leakage is in compartments or rooms separate from other systems wherever feasible so that '

leakage may be detected and identified in drains, by area temperature indications, or high process flow.

7.7.15.2.3 Recirculation Pump Leak Detection Subsystem Punction The purpose of the recirculation pump leak detection subsystem is to monitor the rate of coolant seepage or leakage past the pump shaft seals. Excessively high rates of coolant flow past the seal and results in annunciator activation.

Theory of operation There are two recirculation pump leak detection subsystems, one for each of the pumps in the recirculation loop. The recirculation pump leak detection system consists of two types of monitoring circuits (Figure 7.7-14). The first of these monitors the pressure levels within the seal cavities, presenting the plant operator with a visual display of the sensed pressure in each of the two cavities. The second monitors the rate of liquid flow from the seal cavities.

The pressure levels within seal cavity No. I and seal cavity No. 2 are measured with identical instruments arranged similarly, only one circuit, seal cavity No. 1 pressure monitoring, is discussed. The pressure within seal cavity No. 1 is measured using a pressure transmitter. The pressure transmitter produces an output signal whose magnitude is proportional to the sensed pressure within its dynamic range. This output signal is then applied l

to pressure indicators for plant operator readout.

All condensate flowing past the recirculation pump seal packings and into the seal cavities is collected and sent by one of two drain systems to the drywell l

l equipment sump for disposal. The first drain system drains the major portion 1

7.7-91 REV. 1 - APRIL 1985

NW OO Is I D FS -

TW OE WN 0 AO .V t O (M 0 0 8 a 9 RL UB OAl LeL BI X 1 l 1 D NV t

Y t CY NR EO a a a b UG a a QE ET RA FC

• 5  ? 5 R 6 6 1 0 0 1 P 1 1 C 0 0 0 0 A 0 0 0

M EE ,L 4 0 4 6 U GC A 1 2 MEAATXFI 6 7 4 0 6 3 I RRFAUOT 1 0 0 1 XOEREL I 0 1 1 1 1 1 1 ACVUl F%Nl 1

M AS I E

M R U U 5 6 1 3 MMESg 4  ?

3 6 3 6 I ANSI 9 l 1 S 1 0 1 XEI Es 9 o 1 t.

t ATLRp l 1 1 1

) u MS P 24 S e

- R E oF MLR UEUg

.O S 8 7 8 3 6 2 T MSSi 6 8 6 9 s N I SSs XEEp 5

0 6

0 1 0 1 1 i1 E AVR 1 1 1 1 1 1 v M P ET E LE F E M R BE O UEUg 0 8 0 6 AH v MMSi I OSs 0

2 0

3 4 6 4 6 TS( R A XDEp 0 0 1 1 1 0 1 1

1 1

M A R 1 1

, - M M P U

S 9

MN 4 UO R .

5 3 4 0 MRXB 1 3 2 1 0 1 5 I TUN 1 2 1 2 3 XUL 1 1 AEF4 MN

"~ n n

. l RS R

O O YN t e l O

- t a - - - -

OE L a a r u F cT cT

~

F L IA I T O O

e H le l

l i r R

O eP eP jR jR SO NMNVI C E

r e

r e

aR FW o

t T

C A

Re,R e ,

RIGIT P a n f I

RE t t i l w E dO df N OR a a uo R aO SC O CU w tI a-GEO N CF EA I

T NA T d w

e d

e C nH D R gl eF N I

os lo-e Ls a s D D P IR e e rp r a NIWED N ,E I

R C SM EP E F F fC rN eAs tMs e5 r1 EE SR oy op tD t y OAR REFUSE OLA AU fC aEa u1 a a N T S E ET AE oF A

oF s

M d wDp y

s sn ES RS r ,

en e n r D.

I D R s eXb ee CE no no CT s , s , rp NR eA/ ei ei TD/REA or or i

EN PO I P E T E DA Le Le FMw Gt Gt R -

UTNE BRC EE E 1

1 2

1 1

2 1

3 1

2 2

2 A MTO EVTPP I

OS R

U G

1 1 1 1 5

2 5

2 5

CUC AN R ,H I

F 5

1 5

1 5

1 A

1 1 A

1 A

TLEC ' 2 3 2 2 O SLC E - N 1 1 1 1 2 2 2 DI A N T/ AP RA 1 1 1 5 5 5  % 5 N H AE AR PG 5

1 5

1 5

1 1 1 1 1 1 S IMS NM I

HD T ES TAI TA 3yyU H[01" M:<* oI pyH t

BDS 5 6'

_ O DT N

(t NW OO

_ ID FS -

TW OE WN AO 8 s 4

.VtOW 8 -

RL LsLO 1 1 l 1 UB OA1 BD D NV I -

CY NR EO UG a b 'a a QE ET RA FC E

• 3

• 4 8 R 8 3 0 0 P 0 1 C 0 0 A 0 0 < <

M EE L U GC A 1 1 6 MEAATXFI IRRFAUOT 3 2 8 0

4 0

XOEREL I 0 1 ACVUHFtN 1 1 1 1 M AS' I

'E M R UMEUg MANSi 3 2 6

2 5

0 2

I EI Ss 2 XTLEp 1 1 1 1 AS R 1 1 1 1 M P

) E MLR 24 UEUg

- MSSi 4 0 9 9 ISSs 6 9 9 5 0F XEEp 1 1 1 1

.O AVR 1 1 1 1 5 M P 12 -

E M R ET UEUg LE MMSi 8 5 3 6

4 3

BE I OSs XDEp 3

1 6

1 1 1 AI I A R 1 1 1 1 TS( M P MN UO R MRXB 5 2 5

9 1 5

I TUN 6 6 XUL 1 3 2 1 AEF1 MN ,

n -

o- - a e s l m c s oa sr s a a p I c re p

y y S eh B B e sc N nn nn O , , i o ei I p p Li d T i i n t n2 P r rO mi o I T T- as Ct R T eo tP f a

e C e eP S nn nR S ,

ome us E iO i D b- b , nn su rT rf io scr uP uf ai oae TR TO Mt L V,p 1 2 1 1 4 5 ,

E 3 3 R .

U 2 2 2 2

)

G 5 5 I 5 5 F 1 1 1 1 A '

• I 3 3 4 5 -

- I AP 2 2 2 RA 2. "2 AR 5 5 5 5 1 1 PC 1 1 gppM)t' em o o t t

<. O1 >mDHU

• . H

_ N -

- NN -

_ OO .WN FS ID 6 TN OEtOW 2 8 2 0 2 2 6 AA RI ..L1BD VsLO 1 UB OA D .NV CY NR .

EO .

a a a a a a c UG a QE ET RA FC 8

R 8 0 0 1 P 0 0 O. O. O.

C O.

0 0 o o 0 o 0 o 0 8_ 5 < s s s s s s M EE L 0 0 0 0 2 U GC A 0 8 0 MEAATXFI I RRFAUOT 0 1 0 0 0 0 0 0

0 0

0 0 0 0 0 XOEREL I 0 1 1 1 1 1 1 ACVUHF%N 1 1 M AS I E

R

- M U U 4 4 2 3 9 1 MMESg 2 1 9 9 0 9 2 9 9 9 I ANSI 1 0 9 0 0 0 1 XEI Es 0 1 1 1 1 ATLRp 1 1 1 -

MS P

)

24 E MLR UEUg 8 7 8 8 9 3 1 5 F MSSi SSs 0 6 0 5 0 0 0 1 1

0. O I XEEp 1 1 1 0 1

1 1

1 1

1 1 1 5 AVR 1 1 1 13 M P E

ET M R U 5 7 LE U MESg 2 5 4 0 4 5 9 0 BE I MSi 9 3 9 2 0

9 0

9 0 0 1 AH XOEs ADRp 0 1 0 1 1 1 1 1 1 TS( M P 1 1 MN 9 0 9 9 9 0O R 9 4 9 RXB 4 3 3 3 3 1t TUN I 3 0 3 0 0 0 0 0 0 XUL 0 5 1 1 1 1 1 1 AEF% 1 1 MH E u S a T c E A -

.- r RI R - u o EL o RW u c e- ws i

c WA r OO c rs n OM r

~

rr i r Oe Te e yr - TL v v R PO E N re d d CF i o co fl fl N A ct et e DA l O am i r

e EM eo Ro oa oa n N I i r e RE RM M V V T l o G F h e e O AN w P if T ep t p rc rc p O xs NS ur YI I

R un l s l n l

l w I Y nm om ur si si f m ouP TT d C Aa Ao Ao S Ou B u oc oc I U E P P VB t S r i l ST f f l ec l ec e E fT f t fF on on CRe CR e rn I I D o r

oce o r AN EA o o s t n/

s uo zi TR W CT RL pi pi t n/

se sn se CO it it si% si% it AS d sw sn st EO ra ra aa0 aa1 ea EI o oo oo LP LC oa l w DC T1 T1 FM3 FM1 Sl RD R 2 1 1 1 2 1 1 2 - - - -

1 1 2 2 3 E 6 6 7 .

R 3 3 3 3 2 2 3 U 2 . . . .

G .

5 5 5 5 5 I 5 5 5 1 1 1 1 1 1 1 F 1 1 1 2 2 3

, 6 6 7 .

3 3 4

- H 2 3 3 3 3 AP 2 2 . . . . . .

RA 5 5 5 5 5 5 5 5 5 AR 5 1 1 1 1 1 1 1 1 PG 1 1 g>tMM D Ht* n Ig ' 01 pd Hd ' t

-l.' 't,i

_ - - i

_ AN - ttI It

_ ROFOWC 0 O F UI OLOE BDS 0

O DT N . -

_ NW

_ OO .

_ I D FS - )

TW OEtWN 6 VsOW

_ A0 0 O RI J .L1LO 0 2 gsa UB OA BD no D NV 1 ir f tf Yi 5 i CY 1 md NR ie EO n lt UG a o a .

QE a a i ai t ET -

t t i RA c ti m FC e un i

• s bi l

• b

• u ,s y 8 8 S di t 1 0 e e R 1 f tt f P

C 0 0 0 o an l e s a

< < s 8 2 uv ce R e l P c ae C f

l EE L 0 n ch M U GC A 2 e t 0

MEAATXFI 6 0 r t e I RRFAUOT 2 0 e on h XOEREL I 7 7 1 f ne t ACVUHF%N e h M AS I . R ew r

ev s

t e et o E l e wi b M R u s m a UM U 4 a ( Ri MAESg 1 9 f Fl l 1

1 ENSi 7 6 9 e C l

) XTI Es 9 9 g d Hy e 24 ASLRp M P n o i C ee t w

- t uf s 0P E i N qa i 1 LR m Y is O f .

UEU - 8 i D n P.

5 MSSg 0 0 5 l O uR P 14 I SSi 0 8 0 P C XEEs 0 9 1 = h eC M AVRp 1 t cM ET M P c i n ee n g LE E w

hh i BE M R s se ,t t Al i U U 0 t l TS( MES g I MSi 0 3 2 0

n e vs so tt us XOEs 8 7 l n e ADRp 9 9 1 d i a et r M P c n ia i

n a se nr er te

' ah o MN 8 9 t rt f UO R 8 n et t e MRXH 3 3 e o r I TUN 1 9 0 u a en e XUL 8 1 1 q c r h AEF% 2 e i es t MN r d vi f n e d n i ser n i a p A ee r m = rh h x ot e e t - R u os O P b i m w n- f . e o Oe Be TY f s ys p v v CR S  ;

y urbu AO C N

O fl oa fl oa ET P e r

se ddc a o w

I V V RN I I

hdee l T g g E f nc NV t t adb P ne ir i r IN n e i n .m I

I e t w t ud r o R

C ni ec ni ec E t a uoeer pec pec ST r r d o b s wf S

E OEe sore AN e e eh.tt y pd uo s EA vt d D RL dr o e o il s e t n/ t n/ munwsa%t si% si% CO aa aa1 NO nt l e uw0a aa0 I C I S f ad s o 0i FM3 FM1 ov tin 1t sl vo i 1 2 1 s dh u bi n n

- - t e p s o t ai 1 ntae ah E 5 5 e a r r slt ts R 5 d mg tu U 4 4 iia N n c s n G 5 ctrY else I 5 5 nsaDvaev 1 1 F 1 Ir pO E clL

• 5 5 1 = == == =

- H 5 5 tt+ **

• AP 4 4 tt *

• RA .

5 5 t

• AR 5 5 1 1 PG 1 1 WM4, oI >O0,HV WW NhdM t gm*oIN '*

- : ' ' , i

LSCS-UFSAR 15.2.4 Inadvertent MSIV Closure l 15.2.4.1 Identification of Causes and Frequency Classification I i Various steauline and nuclear systen malfunctions, or operator actions, can initiate main steam isolatien valve closure.

Examples are: low-steauline pressure, high-steaaline flow, high-steaaline radiation, low water level, or manual action.

Inadvertent MSIV closure is categorized as an incident of moderate frequency irrespective of whether one MSIV or all MSIVs close.

To define the event of all MSIVs closing as the initiating event and not the-byproduct of another transient, implies only the following contributions to the frequency considerations: manual action (purposely or inadvertent); spurious signals such as low pressure, low reactor water level, low condenser vacuum, etc.;

and finally, equipment malfunctions such as faulty valves or operating mechanisms. A closure of one MSIV may cause an immediate closure of all.the other MSIVs depending on reactor conditions. If this occurs, it is also included in this category. During the main steam isolation valve closure, position switches on the valves provide a reactor scran if the valves in three or more main steaalines are less than 90% open (except for interlocks which permit proper plant startup).

protection system logic, however, permits the test closure of one ,

valve without' initiating scram from the position switches.

For the condition of one MSIV closing, one MSIV may be closed at I I

a time for testing purposes. This is done manually. Operator error or equipment malfunction may cause a single HSIV to be closed inadvertently. If reactor power is greater than about 75%

when this occurs, an ApRM high flux scram or high steauline I isolation scram may result, if all MSIVs close as a result of the single closure, the event is included in the frequency group of the preceding paragraph.

15.2.4.2 Sequence of Events and Systems Operation The sequence of events for the closure of all MSIVs (Figure 15.2- I

6) is as follows:

Time (sec) Event 0 Initiate closure of all main steaaline ,

isolation valves (MSIV). '

O.3 MSIVs reach 90% open.

4 0.3 MSIV position trip scram initiated.

15.2-16 REV. 0 - APRIL 1984

l l

h i' l LSCS-UFSAR L

1.6 Loss of feedwater begins as turbine l . loses steam supply.

L 2.42, 2.51, 2.60, Relief valves actuated by groups l 2.70 and 2.80 1, 2, 3, 4, and 5.

3.0 All main steanline isolation valves closed.

4.47 Recirculation runback on low level alara (L4) and feedwater flow <20*..

Est. 6, 9, 7.3 Relief valves reclose by groups ~

7.6, 7.9 and 8.8 5, 4, 3, 2, and.1.

10.35 Group 1 relief valves reactuate i on high pressure.

10.90 Group 2 relief valves reactuate on high pressure.

Est. 15.9, 17.2 Relief valves reclose by groups 2, and 1.

18.7 Vessel water low level trip (L2) initiates recirculation pump trip. ,

Vessel water low level trip (L2) initiates RCIC & SpCS (not simulated).

20.84 Group 1 relief valves cycle open i and closed on pressure.

As all main steam isolation valves close, position switches on these valves initiate a reactor scran when the valves in three or more main steaalines are less than 905 open. This scraa signal requires that the reactor pressure is above the reactor scran pressure setpoint and that the reactor mode switch is in the RUN position. Credit is taken for successful operation of the reactor protection system. Normal operation of the pressure relief system logic which initiates the opening of relief valves is also assumed during the time period covered by the analysis.

All plant control systems maintain normal operation unless specifically designated to the contrary.

For the closure of a single MSIV, that action will not initiate a reactor scran because the valve position trip logic is designed to acconnodate single HSIV closure during operation at limited.

power levels. The main steaulines are sized to carry full rated steam flow with one line closed. MSIV testability during normal reactor operation is possible. Credit is taken for the operation of the pressure signals of the NSSS and the flux signals of the reactor protection systems to initiate reactor scran. All plant control systems are assumed to operate normally unless designated to the contrary, 15.2-17 REV. 0 - APRIL 1984

l LSCS-UFSAR l Operator actions should assure that a normal shutdown occurs and that adequate core coverage is maintained for cooling requirements. Other than assurance of adequate reactor pressure relief and requisite cooling following shutdown, there are no safety actions required by the operator.

Consideration of single failures and operator errors shows that I sitigation of pressure rise is accomplished by MSIV position switch initiation of reactor scranRelief followed by reactor protection valves also operate to systen shutdown of the reactor.Each of these aspects of safety control limit vessel pressure.

is designed to single failure criteria and, in this case, additional failures would not alter the results of the analysis.

Failure of a single relief valve.to open is not expected to have any significant.effect because less than 20 psi increase in vessel pressure would occur. The peak pressure is still considerably less than the 1375 psig pressure limit.

15.2.4.3 Core and System performance Mathematical Model An extensive nonlinear dynamic model is employed in the transient analyses. The model is described in Reference 3.

Input parameters and Initial Conditions ,

i The reactor is initially operating at 105% of NB rated power with a vessel done pressure of 1020 psig. Other plant parameters are .

as shown in Table 15.0-2.

The assumptions and conditions are as follows: ,

i

a. Automatic circuitry et operator action initiates closure of the main steamline isolation valve (s) which in turn initiates the transient.

b. The main Thesteam isolation valves close in 3 to 5 worst case, the 3-second closure time, seconds.

is assumed for the analysis shown here.

c. position switches on the valves initiate a reactor scran when the valves are less than 90% open.

Closure of these valves inhibits steam flow to the feedwater turbines terminating feedwater flow.

d. Valve closure indirectly causes a trip of the main turbine and generator.

e. Because of the loss of feedwater flow, water level within the vessel decreases sufficiently to initiate trip of the recirculation pump and initiate the HpCS and RCIC systems.

15.2-18 REV. 0 - APRIL 1984

LSCS-UFSAR Results For closure.cf all MSIVs, Figure 15.2-6 shows the changes in

'important' nuclear systen variables'following simultaneous isolation while the reactor is operating at 105% of NBR steam flow. Peak neutron flux reaches 269% of NBR power flux at-approximately 2 seconds. At this time, the nonlinear valve g

closure characteristic exerts a dominating effect and the assumed

' conservative scran characteristic has not yet allowed credit for full shutdown of the reactor. No significant increase.in fuel surface heat flux nor reduction in MCPR1 occurs. Water level decreases sufficiently to cause a recirculation pump trip with accompanying initiation of the HPCS and RCIC systems at approximately 18 seconds. However, there is a delay of up to 30 seconds before water supply enters the vessel. There is no change in the thermal margins during the transient.

The nuclear systen relief valves begin to open automatically at approximately 2'.4' seconds after the isolation is initiated. The valves close sequentially as the stered heat is dissipated and will continue intermittently to discharge steam from decay heat.

The peak pressure in the main steaaline is 1152 psig. Peak pressure at vessel botton is 1199 psig, clearly-celow the pressure limits of the reactor coolant pressure boundary.

For closure of only one MSIV (such as is permitted for testing purposes), the normal test requirements limit-the reactor power to approximately 75% of design conditions to preclude a high flux scran, high pressure scran or complete MSIV isolation of all main steaalines. Only one MSIV is permitted to be closed at a time for testing purposes; this testing mode precludes a' reactor scran from the MSIV closure switches on the valve undergoing test.

Inadvertent closure in 3 seconds of an MSIV during 105% NBR steam flow results in flow disturbances sufficient to raise vessel pressure and reactor power enough to cause an APRM high neutron flux'scran. No quantitative results are shown for this event because no significant effect is imposed on the reactor coolant pressure boundary. Systen pressure is regulated via the main i turbine bypass system for the other three steaalines.

Inadvertent closure of one or all MSIVs while the reactor is i shutdown (such as operating State C, as defined in Appendix D of l the FSAR) will produce no significant transient. MSIV closure during plant heatup (operating State D) will be less severe than for the maximum power cases discussed above.

l 15.2-19 REV. 0 - APRIL 1984 l

i

l 1

l LSCS-UFSAR l Considerations for uncertainties in the analyses are included in the resetor protection systen settings, system capacities, and systen response characteristics. In all cases, the most conservative values were used, for example: the slowest allowable control rod notion, the scran worth curve for an all-rods-out condition, minimum valve capacities for overpressure protection, action points on the relief valves were taken at 115%

of the nominal setpoint.

15.2.4.4 Barrier Performance The consequences of NSIV closure, whether involving all MSIVs or a single HSIV, do not result in any temperatures nor' pressures in excess of the. criteria for which the fuel clad, pressure vessel, or containment are designed; therefore, these barriers maintain their safety integrity.

The activity released to the suppression pool via the relief valves' discharge is activity in the reactor coolant.

15.2.4.5 Radiological Consequences While the consequence of this event does not result'in fuel failure, it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled meteorological and release conditions. If purging of the containment is chosen, the release will be done in accordance with established technical specifications; therefore, this event, at the worst, would only result in a small increase in the yearly integrated exposure level.

I hil/1Y auhn$

' O,M4 l

15.2-20 REV. 0 - APRIL 1984

=-

EEEBB ' '

d Y$ ~

it g

~

=rn -

,g ~

%i h -

,_ '\ ,,

b

• y -

g s i sb l gog -

~

E a kh 3 -

na

~~~

g #

/ ,

i i

• r r" d .n, ,

. , , u, .

d 5 i N N N '

N talia m 1xnsa E~

w hh . -

h Fu e -,

@!,E d@ - -

ig_;

1 w .

.s a

8 pegg v a - b5r y --

h5

• W e

4- g_

k g

- ~ , , . .

(- s g_

y-s[ 4-$,

4-7.?

" i

> d  %- a 36 f

.(f

~

,, f/ .-a

_a -

j I ~

'V i . . . .~ ^ -

. N V "

d f f $

• talim A INDG4 LA SALLE COUNTY STATION

'JPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 15.2-6 3-SECOND CLOSURE OF ALL MSIV'S 105% POWER REV. 0 - APRIL 1984

LSCS-UFSAR values applicable to a realistic analysis. The specific models and assumptions and the program used for computer evaluation are described in Reference 2. The analyzed leakage path is shown in Figure 15.6-3.

The radiological exposures are based on the assumption that the activity released to the containment is proportional to the mass loss. In addition to the activity contained in the coolant prior to blowdown, additional activity may be released as a consequence of vessel depressurization and possible reactor scran. This additional release is taken into consideration in evaluating the radiological' exposures and is based on experimental data collected from BWR reactor shutdowns on similar plants (Reference 3).

The activity airborne within the secondary containment is a function of the primary coolant activity, blowdown rate, condensation rate, fraction of liquid which flashes to steam, and i leakage rate from the containment. It is assumed that normal ventilation occurs for the first 10 minutes, followed by building isolation and initiation of the SGTS for the remainder of the event. Correlating the effects of these parameters and considering a combined washout-plateout factor of 2, the activity airborne in the secondary containment as a function of time is presented in Table 15.6-2.

The. fission product activity released to the environment is based on.a ventilation rate from the secondary containment 110,000 cfm for the first 10 minutes and a standby gas treatment system iodine renoval efficiency of 95% with a rate of 4,000 cfm for the duration of the accident. The iodine released as a function of time is presented in Table 15.6-3.

The radiological exposures have been evaluated for the meteorological conditions defined in Subsection 15.0.2.

The doses are presented in Table 15.6-4. [ggg.gygg

((0cCd70Vi) 15.6.3 Steau Generator Tube Failure '

j Not applicable.

15.6.4 Steam Systen Pipe Break Outside Containment 15.6.4.1 Identification of Causes and Frequency Classification This event involves the postulation of a large steaaline pipe break outside containment. It is assumed that the largest steanline, the main steauline, instantaneously and circumferential1y breaks at a location downstream of the outernost isolation valve. This evaluation therefore represents the envelope evaluation of steaaline failures outside I containment.

15.6-7 REV. 0 - APRIL 1984

LSCS-UFSAR The plant is designed to detect such an occurrence immediately, initiate isolation of the brcken line, and actuate the necessary protective features. The main steaalines are designed to high quality engineering codes and standards and restrictive seismic and environmental requirements. However, for the purpose of evaluating the consequences of a postulated large stenaline rupture, the failure of a main steaaline is assumed to occur. i This event is categorized as a limiting fault with respect to i frequency classification.  ;

15.6.4.2 Sequence of Events and Systems Operation Release of radioactive materials outside the secondary containment results from postulated breaches in the reactor coolant pressure boundary or the steam power conversion systen boundary. A break spectrum analysis for the complete range of reactor conditions (Section 6.3) indicates that the limiting fault event for breaks outside the containment is a complete severance of one of the main steaalines. The sequence of events l and approximate time required to reach the event is as follows:

Time (sec) Event 0 Guillotine break of one main steaaline.

S 0.5 High stenaline flow signal initiatestMSIV,closurr.

<1.0 Reactor begins scras. ,

55.5 Main steaaline isolation valves fully closed.

10 Safety / relief valves open automatically on high vessel pressure and maintain vessel pressure at approximately 1100 psi.

30 Normally RCIC and BPCS would initiate on low water level (no credit taken for RCIC or HpCS in this analysis).

330 Reactor water level begins to drop slowly due to loss of steam through the safety / relief valves; reactor pressure still at approximately 1100 psi.

600 Operator initiates ADS or manually controls relief valves. Vessel depressurizes rapidly.

830 Low-pressure ECCS systems initated; core effectively reflooded and cladding temperature heatup terminated. No fuel rod failure (Subsection 6.3.3).

I 15.6-8 REV. 0 - APRIL 1984

LSCS-UFSAR A postulated guillotine break of one of the four main steamlines outside the containment results in mass loss from,both ends of the break. The flow from the upstream side is initially l'imited by the flow restrictor upstream of the inboard isolation valve. Flow from the downstream side is initially limited by the total area of the flow restrictors in the three broken lines. Subsequent closure of the MSIV's further limits the flow when the valve area becomes less than the limiter area and finally terminates the mass loss when the full closure is reached.

The effect of single failures has been considered in analyzing this event. The ECOS aspects are covered in Section 6.3. The break detection and isolation considerations are defined in Sections 7.3 and 7.6. All of the protective sequences for this event can accommodate single component failure and single operator error and still complete the necessary safety action. Refer to Appendix D of the FSAR for further details. A discussion of plant, reactor protection system, and ESF actions is given (

in Sections 6.3, 7.3, and 7.6.

Normally the operator monitors vessel pressure and water inventory to maintain core cooling. Without operator action, the RCIC would initiate automatically on low water level following isolation of the main steam supply system (i.e., MSIV closure). The core would be covered throughout )

the accident and there would be no fuel damage. Without taking credit '

for the RCIC water makeup capability and assuming HPCS failure. ADS will auto initiate to ensure termination of the accident without fuel damage.

15.6.4.3 Core and System Performance Quantitative results (including mathematical models, input parameters, and consideration of uncertainties) for this event are given in Section 6.3. The temperature and pressure transients resulting from this accident are insufficient to cause fuel damage; there are no fuel cladding perforations as a consequence of this event.

15.6.4.4 Barrier Performance Since this break occurs outside the containment, barrier performance within the containment envelope is not applicable. Details of the results of this event can be found in Subsection 6.2.3.

The following assumptions and conditions are used in determining the mass loss from the primary system from the inception of the break to full closure of the MSIVs (no 9perator action is needed in this interval):

a. The reactor is operating at the power level associated with maximum mass release, i

l 15.6-9 REV. 3 - APRIL 1987

__________________________________-_____________________-_______________J

i LSCS-DFSAR ,

I

b. Nuclear systen pressure is 1055 psia and remains I constant during closure.

]

c. There is an instantaneous circunferential break of  !

the main stensline,

d. Isolation valves start to close at 0.5 second on high flow signal and are fully closed at 5.5 seconds.

e. The Moody critical flow model (Reference 1) is applicable,

f. Level rise time is conservatively assumed to be 1 second. Mixture quality is conservatively taken to be a conctant 7% (steam weight percentage) during mixture flow.

Initially only steam will issue from the broken end of the steanline. The flow in each line is limited by critical flow at the limiter to a marinus of 200% of rated flow for each line.

For the NRC analysis of this event, an assumption is made that rapid depressurization of the RPV allows the water level to rise quickly enough to flow a steam water sixture from the main steamline' break until the NSIV is closed on that line.

For the realistic analysis of this event using the most probable-operating condition prior to the postulated break, the calculated two-phase sixture level in the RpV does not reach the elevation of the main steam nozzles before the MSIV closeu. Therefore, i only steam is released from the break during the event.

Aside'from this acknowledged difference in source terms, there is a major difference in methodology for calculating the radiological consequences for the design-basis analysis and for the realistic analysis. Each is treated separately in the next topic.

A schematic of the release path is shown in Figure 15.6-4, 15.6.4.5 Radiological Consequences Two separate radiological analyses are provided for this event.

The first is based on conservative assumptions considered to be acceptable to the NRC for the purpose of determining adequacy of the plant des.ign to meet 10 CFR 100 guidelines. This analysis is referred to as the " design-basis analysis". The second is based on assumptions considered to provide a realistic conservative estimate of the radiological consequences. This analysis is referred to as the " realistic analysis".

A schematic of the. release path is shown in Figure 15.6-4.

15.6-10 REV. 0 - APRIL 1984

l l

LSCS-UFSAR Desian-Basis Analysis The design-basis analysis utilizes NRC Standard Review plan ]

15.6.4 and NRC Regulatory Guide 1.5. The specific models and assumptions and the program used for computer evaluation are described in Reference 4. Specific values of parameters used in ,

the evaluation are presented in Table 15.6-5. l l

There is no fuel damage as a result of this event. The only activity available for release from the break is that which is present in the reactor coolant and steaulines prior to the break.

The iodine concentration in the reactor coolant is then given by l (gCi/ga):

I-131 0.039 )

I-132 0.360 I-133 0.270 I-134 0.720 I-135 0.390 {

I Because of its short half-life, N-16 is not considered in the analysis.

The transport pathway is a direct, unfiltered release to the steam tunnel, which is a part of the secondary containment. The MSIV detection and closure time of 5.5 seconds results in a discharge of 14,000 pounds of steam and 86,000 pounds of liquid from the break. Assuming all the activity in this discharge becomes airborne, the release of activity to the environment is presented in Table 15.6-6.

This level of activity is consistent with an off-gas release rate of 300,000 pCi/see after a 30-minute delay.

The calculated exposures for the design-basis analysis are presented in Table 15.6-8 and are a small fraction of the guidelines of 10 CFR 100.

kealistic Analysis The realistic analysis is based on a plausible but still conservative assessment cf this event. The specific models and assumptions and the program used for computer evaluation are described in Reference 2. Specific values of parameters used in the evaluation are presented in Table 15.6-5.

Since there is no fuel rod damage as a consequence of this event, the only activity released to the environment is that associated with the steam and liquid discharged from the break.

15.6-11 REV. 0 - APRIL 1984

LSCS-UFSAR The activity released from the event is a function of the coolant activity, valve closure time, and mass of coolant released. A portion of the released coolant exists as steam prior to the blowdown, and as such does not contain the same concentration per unit of mass as does the steam generated as a consequence of the blowdown. Therefore, it is necessary to subtract the initial steam mass from the total mass released and assign to it only 2%

of the iodine activity contained by an equivalent mass of primary coolant.

The following assumptions are used in the calculation of the quantity and types of radioactive material released from the reactor coolant pressure boundary:

a. The amount of coolant discharged is that calculated in the analysis of the nuclear systen transient. The mass loss is 36,000 pounds of steam,

b. The concentrations of biologically significant radionuclides contained in the primary coolant are as follows:

I-131 0.013 pCi/gm I-132 0.120 pCi/ga I-133 0.089 pCi/ga I-134 0.240 pCi/ga I-135 0.130 pCi/ga Measurements made on BWR's of the current generation show the activity ratio between the main turbine condensate and reactor coolant to be on the order of 0.5% to 2%. For the purpose of this evaluation, the conservative assumption is made that the activity per pound of steam is equal to 2% of the activity per pound of reactor water,

c. The noble gas discharge rate after a 30-minute holdup is assumed to be 0.1 Ci/sec, an unusually high normal discharge rate. This assumption permits direct computation of the amount of noble gas activity leaving the reactor vessel at the time of the accident. The result is that 0.45 Ci of noble gas activity leaves the reactor vessel during each second that the isolation valve is open.

d. Because of the short half-life of N-16, the radiological effects from this isotope are of no major concern and are not considered in the analysis.

15.6-12 REV. 0 - APRIL 1984 ;

LSCS-UTSAR l

Based on the above considerations, the amount of activity which is available for atmospheric dispersion is presented in Table ,

15.6-7.

The calculated exposures for this event are presented in Table da ,

15.6-8. As noted in comparative Table 15.6-8, these values are a ;nCvlazd !

small fraction of the 10 CFR 100 guidelines.

' EciMcJ2 I 15.6.5 Loss-of-coelant Accidents Resultino from Spectrum i s l of Postulated Pipino Breaks Within the Reactor ns 6q,fg, '

Coolant Pressure Boundary This event involves the postulation of a spectrum of piping breaks inside containment varying in size, type, and location. l The break type includes steam and/or liquid process systen lines, i This event is also coupled with severe natural environmental con-ditions and includes earthquake coincidence.

The event has been analyzed quantitatively in Sections 6.2, 6.3, 7.1, 7.3, and 8.3. Therefore, the following discussion provides only new information not presented in the subject sections. All 1 other information is covered by cross-referencing.

The release of radioactive fission products directly into the containment results from these postulated pipe breaks in the <

primary coolant pressure boundary. Possibilities for all pipe-break sizes and locations are examined in Sections 6.2 and 6.3, including the severance of small process systen lines, the main steaalines upstrema of the flow restrictors, and the recirculation loop pipelines. The most severe nuclear systen effects and the greatest' release of radioactive material to the containment result from a complete circunferen!:ial break of one '

of the two recirculation loop pipelines. The minimum required functions for the reactor and plant protection systets are discussed in Sections 6.3, 7.3, 7.6, and 8.3 and in Appendix D of the FSAR.

The postulated event represents an envelope evaluation for all liquid or steanline failures inside containment.

15.6.5.1 Identification of Causes and Frequency Classification I There are no realistic, identifiable events which would result in a pipe break inside the primary containment of the magnitude required to cause a loss-of-coolant accident coincident with a safe shutdown earthquake and a single active component failure.

The subject piping is designed, built, and analyzed to strict energency code and standards criteria, and to severe seismic and environmental conditions. However, since such an accident provides an upper limit estimate to the resultant effects for this category of pipe breaks, it is evaluated without the cause being identified.

15.6-13 REV. 0 - APRIL 1984

--- -_--------------___--__o

l l

l LSCS-UFSAR l

TABLE 15.6-5 1

{

STEAMLINE BREAK ACCIDENT - PARAMETERS TO BE TABULATED FOR POSTULATED ACCIDENT ANALYSES i

REALISTIC CONSERVATIVE (CONSERVATIVE)

(NRC) ENGINEERING ASSUMPTIONS ASSUMPTIONS I. Data and assumptions used to estimate radioactive source from postulated accidents 3458 MWt A. Power level corresponding to lost 3458 MWt NBR steam flow NA B. Burnup NA Fuel damaged None None C.

D. Release of activity by nuclide Table 15.6.4-2 Table 15.6.4-3 ,

I E. Iodine fractions 0 (1) Organic 0 1

(2) Elemental 1 0 0 (3) Particulate Subsection F. Reactor coolant activity before the Subsection accident 15.6.4.5 15.6.4.5 II. Data and assumptions used to estimate j activity released NA A. Containment leak rate (t/ day) NA NA B. Secondary containment leak rate (t/ day) NA 5.5 C. Isolation valve closure time (sec) 5.5 D. Adsorption and filtration efficiencies NA (1) Organic iodine NA NA NA j (2) Elemental iodine NA NA (3) Particulate iodine NA NA (4) Particulate fission products NA NA E. Recirculation system parameters NA NA (1) Flow rate NA (2) Mixing efficiency NA NA NA (3) Filter efficiency F. Containment spray parameters (flow NA rate, drop size, etc.) NA NA NA 'i G. Containment volumes None H. All other pertinent data and assumptions None

)

III. Dispersion Data A. Boundary and LPZ distance (meters) 509/6400 509/6400 B. x /Q's for (1) Total dose - EAB*/LPZ 6 7(-4)/6.7(-5) 1. 7 (-7 ) /5. 8 (- 8 )

IV. Dose Data A. Method of dose calculation Regulatory Guide 1.5 Reference 2 B. Dose conversion assumptions Regulatory Guide 1.5 Reference 2 C. Peak activity concentrations in NA NA containment D. Doses Table 15.6.4-4 Table 15. 6. 4- 4

• Maximum x/O occurs at 6400 meters from J release point (realistic boundary).

The X/Q at the'EAD is 6.1 (-25) sec/m .

TABLE 15.6-5 REV. 0 - APRIL 1984

-_--__________J

l LSCS-UFSAR i

TABLE 15.6-6 STEAMLINE BREAK ACCIDENT ACTIVITY RELEASED TO THE ENVIRONMENT (curies)

(Design (NRC) Basis)

ISOTOPE CURIES I-131 1.527E 00 I-132 1.410E 01 I-133 1.046E 01 I-134 2.819E 01 I-135 -1.527E 01 TOTAL HALOGENS 6.954E 01 KR-83M 6.950E-02 KR-85M 1.218E-01 KR-85 4.752E-04 KR-87 3.794E-01  !

KR-88 3.891E-01 KR-89 1.619E 00 XE-131M 3.883E-04 XE-133M 5.806E-03 XE-133 1.626E-01 XE-135M 4.759E-01 XE-135 4.388E-01 XE-137 2.138E 00 XE-138 1.619E 00 TOTAL NOBLE GASES 7.419E 00 i

i 1

l TABLE 15.6-6 REV. 0 - APRIL 1984 I

o LSCS "FSAR ,

l TABLE 15.6-7 STEAMLINE BREAK ACCIDENT 1'

ACTIVITY RELEASED TO THE ENVIRONMENT (curies)

(Realistic Analysis)

ISOTOPE ACTIVITY I-131 1.2E-01 I-132 1.lE 00 I-133 8.lE-01 I-134 2.2E 00 I-135 1.2E 00 TOTAL 5.4E 00 KR-83M 2.3E-02 KR-85M 4.lE-02 KR-85 1.6E-04 KR-87 1.2E-01 KR-88 1.3E-01 KR-89 5.4E-01 XE-131M 1.3E-04 XE-133M 1.7E-03 XE-133 5.4E-02 XE-135M 1.6E-01 XE-135 1.4E-01 XE-137 7.lE-01 XE-138 5.4E-01 TOTAL 2.5E 00 TABLE 15.6-7 REV. 0 - APRIL 1984 i

1 l'

b LSCS-UFSAR 2> r. m

?? '

e, 4 ., .e . .

i . =,=,

o --

u.em e

5 d

g.

e. m

== <<

8 ' .O m A ll EE

" J'

^

. mm 4 ob o=

i. . i e e ia .i e--M j.

.er l.

!s u N..

==

28 o -m. .=.=e NN i

4 mW mm EE N

2>

T ' NN NN mo EE EE No m oo-a -

=

i =

b  := me << <<-

W w e O No NN NN m.

i , s - 4 EE EE

! m a N J w r4 .W z <

l' W U sa J - .. - -

]

i 5 2 5 5 Wo 33 tj tj "a at g3 33 5

8. 8e. 8.

8 8 8 E'3 GO E'3GOE'3 GO h Oh O>

zi fC is u u e W W M a a 8 8 o m m o o .se -

e b

. M.

8 C

D W O k -

C M.

C -

0 W D O Q.

i 1

.a O C

O b g

< 10 0 TABLE 15.6-8 REV. 0 - APRIL 1984

~ - - - - - - - - - - - - - - - - - - . _ _ _ _ _ _ _ _

ENVIRONS i b SECONDARY SGTS CONTAINMENT CONTAINMENT = 7 LIKE STRUCTURE 4 L J L INSTRUMENT INETRUMENT LINE SMEAK LINE BREAK POTENTIAL DESIGN CASE LA SALLE COUNT Y ST ATIO N UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 15.6-3 LEAKAGE PATH FOR INSTRUMENT LINE BREAK REV.'O - APRIL 1984 a__

1llll1Ii 1 -l E

V L _.

A o R

/

V x x :>

eE E P s _

O NVL t W mEN T

S sA Ao ' _

E u nV =N _

m TNO o c

e t ' _

n $

S _

u = - _

T I

M ( u D

A Q Eg x x ::x C

~

Mg So " < "

R:L Uo Tg

> ~

K A

E t E R E N B N I L

N u S S

' A

" P t ^ Y 8

j E 5

EE NV I L LA S

xx::x I P

M U

P R

E MV \  ; T A

AN E  ;

/. W TI O ST NA I L AO

\ / u D E

E F

Ms i g

P A

gxxx '

T N

E M

N IA T

w ' N L O ^ O E L C S

F S

• E V R

' ' ' E '

M i T "

O v  : : : I M

T C

A i '

)

/ I L

E l

f j W L

N y /O F i

r> g>r o@z q> doz _

"5H$ , ~

wNd m xm -

$S5 ;

hx ,sr $M6g b m m wyM ._

G" g gt- -

o -

E< . eNe wgn;

,ff jl l

• ATTACHMENT F S&L REFERENCE DOCUMENTS

1. Leak Detection System Evaluation, Sargent & Lundy Engineers, March 1, 1985, Attachment I, Project No. 6695-00.

I l

l l

l l

l I

1

"t m._

SARSENT & LUN:DY ENG2NEERS rounocoeen SS CAST MON RC E STR ECT i

CHICAGO, ILUNOIS 60603 l .' -

( 312 ) 269 2000 ~

TWM 940 221 3807

• i e, s . . . #.

.'t March 1, 1985 Project No. 6695-00

a. , . .

- Commonwealth Edison Company ,

, *, LaSalle Generating Station

" Units 1 and 2 - -

' Leak Detection System WIN 140 and 141 AIR No. 1-83 -427

~

Mr. L. J. Corts Cognizant Engineer Station Nuclear Enginee.ing r Department Commonwealth Edison Company P. O. Box 767 Chicago, Illinois 60690

Dear Mr. Corts:

Enclosed please find a copy of the Leak Detection System Evaluation for your information and use.

If you have any questions, please contact me.

Yours verv truly, 85+df * .,

~

J. G. Krier HVAC Project Engineer -

JGK:le In duplicate Enclosure Copies:

D. C. Haan (1/0)

G. Zwarich (.1/1)

V. Gilautra (1/1)

J. Esterman (1/1)

R. J. Hammersley (1/1)

J. P. Wegrzyn (1/1)

E. P. Ricohermoso (.1/1)

HVAC File No. 20

' s ,' . .

. ?*

, *.. J T1 s.k. .

l, ,

Commonwealth Edison Company Attachment I LaSalle - Units 1 and 2 Page 1 of 2 Proj ect No. 6695-80 e

L LEAK DETECTION SYSTEM CONCERNS & RESOLUTIONS -

CONCERN No. 9 The' LaSalle Plant experienced spurious trip signals from the temperature leak detection system'during normal plant operation. CECO's concern is that the Temperature Leak Detection design basis is very conservative.in that 1 switch in Division 1 or Division 2 can isolate the system. Thus, CECO wants an investigation of the design basis and

, . possible improvement of logic design which would still maintain isolation capability but reduce spurious trips.

COMMbNTS,

a. Design References and Criteria for Leakage Detection ,

- S&L has reviewed the following reference guide, standard and specification to l determine the design basis and logic behind the Leak Detection System.

e Regulatory Guide 1.45 " Reactor Coolant Pressure Boundary Leak Detection '

Systems."

o Standard Review Plan 5.2.5 " Reactor Coolant Pressure Boundary Leakage.'.'

e General Electric Company's (GE) Design Specification for Leak Detection (CE Document Number 22A2870, Revision 7).

e General Electric Company's (GE) Design Specification Data Sheet No. 22A2870AA, Revision 3 " Leak Detection System."

The regulatory documents ao not specify quantitative requirements for performance of temperat6re monitoring systems for detecting leakage outside of the primary containment. Instead, it appears.that they specify only requirements for the capabilities of system designs required to detect leakage within the primary containment. Both the Regulatory Guide and the Standard Review Plan call for the capabilities of the system design to be able to detect an increase in leakage-rate or its equivalent of 1 GPM in less than one hour for unidentified leakage within the primary Reactor Containment. In fact, the Regulatory Guide indicated that humidity, temperature, or pressure monitoring of containment atmosphere should be considered as alarms or indirect indication of leakage to the' containment.

The specific requirements for the ability to detect a 5 GPM leak and cause an alarm as well as the ability to detect a 25 GPM leak and cause an isolation to occur are contained within the GE design specification. There are no references to regula. tory documents in the reference section of the GE design specification, and it appears that the 5 and 25 GPM values originated by the GE System Design Engineer. Within the GE specification, the words describing the uso of temperature sensors to deccet secom leaks appear as follows:

y " Alarm should be actuated by a temperature rise corresponding to the steam leakage of 5 CPM and automatically isolate the system on 25 GPM."

n k

• Attachment I i

Page 2 of 2 kby The GE Specification Data Sheet recognized that the temperature leak detection cystem is dependent on the number of design variables such as cooling capacities during winter / summer conditions, instrument inaccuracies, etc. Within this CE Data Sheet, the following is indicated:

"The Architect Engineer / Customer shall determine the setpoints for the temperature monitoring function where the fluid leakage from high temperature fluid systems will cause a corresponding equipment temperature rise. THE ALLOWABLE LEAKAGE RATES FOR ALARM AND/OR SYSTEM ISOLATION IS LIMITED BY RADIOLOGICAL RELEASE LIMITATIONS."

b. Isolation Logic Designs-S&L has reviewed the present logic designs as s,hown on Drawing Numbers 1E-1-4224AA

+ AP and determined that the designs are already optimized to the extent practical.

S&L believes that the basic caus'e of spurious isolation signal is the instrument inaccuracies '(calibration & drif t) associated with the low setpoints selection.

The present isolation setpoints were based on temperatures equivalent to a 25 GPM ,

leakage rat'e as established by GE Specification. This conservative limitations lead to the setpoints that could be easily affected by so many design variables such as changes in ventilation capacities, changes in outside environmental conditions, location of temperature sensors, etc. Major changes in the ventilation control design and on the leak detection logic will be necessary to minimize p-} spurious isolation signal and attain the leakage limitation. S&L believes that s_s such change is not necessary as it will not totally solve the spurious isolaticn, what is needed is to raise the isolation setpoints for temperature leak detection up to the environmental qualification of the equipment without exceeding the .

radiological release limitations.

Leakage in areas with safety-relate.d equipment up to the amount equivalent to equipment environmental qualification will not exceed the radiological release limitation.

/